Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe
Resource
win7-20240729-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
120 seconds
General
-
Target
0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe
-
Size
488KB
-
MD5
1cb6599d499046914145363734d37450
-
SHA1
a41ff53d0cda57de3caa7d0c4aa25b422498c0e3
-
SHA256
0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400
-
SHA512
50fb387b5f1c542844e884d73521d18d0da8ee91672704d4deec09c2e80be5abd85e8b8540937e26da9a3ebba0c11e474bbb8b1b85705ed5df58fb725f5f36c7
-
SSDEEP
12288:V/Ms/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VPK2O2HIBEd7M
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2224 Tiwi.exe 2272 IExplorer.exe 1992 winlogon.exe 1524 Tiwi.exe 2152 Tiwi.exe 2160 Tiwi.exe 1400 IExplorer.exe 2472 IExplorer.exe 3036 IExplorer.exe 1760 Tiwi.exe 2356 winlogon.exe 2988 winlogon.exe 2696 IExplorer.exe 2712 winlogon.exe 2288 imoet.exe 2828 imoet.exe 2812 imoet.exe 2848 winlogon.exe 2948 cute.exe 2944 cute.exe 2720 cute.exe 2640 imoet.exe 1640 imoet.exe 2088 cute.exe 1488 Tiwi.exe 1692 cute.exe 1504 IExplorer.exe 316 Tiwi.exe 1100 winlogon.exe 2964 imoet.exe 2204 IExplorer.exe 500 cute.exe 2000 winlogon.exe 1580 imoet.exe 2220 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2224 Tiwi.exe 2224 Tiwi.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2272 IExplorer.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2272 IExplorer.exe 2224 Tiwi.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2224 Tiwi.exe 1992 winlogon.exe 1992 winlogon.exe 2272 IExplorer.exe 2272 IExplorer.exe 2224 Tiwi.exe 2224 Tiwi.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 1992 winlogon.exe 2272 IExplorer.exe 2272 IExplorer.exe 2224 Tiwi.exe 2224 Tiwi.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2272 IExplorer.exe 2272 IExplorer.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 1992 winlogon.exe 1992 winlogon.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 1992 winlogon.exe 1992 winlogon.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2288 imoet.exe 2288 imoet.exe 2288 imoet.exe 2288 imoet.exe 2288 imoet.exe 2948 cute.exe 2948 cute.exe 2288 imoet.exe 2288 imoet.exe 2948 cute.exe 2948 cute.exe 2948 cute.exe 2948 cute.exe 2948 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: cute.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\N: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\T: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\G: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\L: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\Y: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\W: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\P: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\E: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\X: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\M: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\Z: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\V: 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened for modification F:\autorun.inf 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created C:\autorun.inf 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened for modification C:\autorun.inf 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\tiwi.scr 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\shell.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2068 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2224 Tiwi.exe 2288 imoet.exe 1992 winlogon.exe 2272 IExplorer.exe 2948 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 2224 Tiwi.exe 2272 IExplorer.exe 1992 winlogon.exe 2152 Tiwi.exe 1524 Tiwi.exe 2160 Tiwi.exe 1400 IExplorer.exe 2472 IExplorer.exe 2356 winlogon.exe 1760 Tiwi.exe 2988 winlogon.exe 3036 IExplorer.exe 2696 IExplorer.exe 2712 winlogon.exe 2828 imoet.exe 2288 imoet.exe 2812 imoet.exe 2848 winlogon.exe 2948 cute.exe 2720 cute.exe 2944 cute.exe 2640 imoet.exe 1640 imoet.exe 1488 Tiwi.exe 2088 cute.exe 1692 cute.exe 1504 IExplorer.exe 1100 winlogon.exe 316 Tiwi.exe 2964 imoet.exe 2204 IExplorer.exe 500 cute.exe 2000 winlogon.exe 1580 imoet.exe 2220 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2224 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 29 PID 2540 wrote to memory of 2224 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 29 PID 2540 wrote to memory of 2224 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 29 PID 2540 wrote to memory of 2224 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 29 PID 2224 wrote to memory of 2068 2224 Tiwi.exe 30 PID 2224 wrote to memory of 2068 2224 Tiwi.exe 30 PID 2224 wrote to memory of 2068 2224 Tiwi.exe 30 PID 2224 wrote to memory of 2068 2224 Tiwi.exe 30 PID 2540 wrote to memory of 2272 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 31 PID 2540 wrote to memory of 2272 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 31 PID 2540 wrote to memory of 2272 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 31 PID 2540 wrote to memory of 2272 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 31 PID 2540 wrote to memory of 1992 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 32 PID 2540 wrote to memory of 1992 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 32 PID 2540 wrote to memory of 1992 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 32 PID 2540 wrote to memory of 1992 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 32 PID 2540 wrote to memory of 1524 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 33 PID 2540 wrote to memory of 1524 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 33 PID 2540 wrote to memory of 1524 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 33 PID 2540 wrote to memory of 1524 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 33 PID 2224 wrote to memory of 2152 2224 Tiwi.exe 34 PID 2224 wrote to memory of 2152 2224 Tiwi.exe 34 PID 2224 wrote to memory of 2152 2224 Tiwi.exe 34 PID 2224 wrote to memory of 2152 2224 Tiwi.exe 34 PID 2272 wrote to memory of 2160 2272 IExplorer.exe 35 PID 2272 wrote to memory of 2160 2272 IExplorer.exe 35 PID 2272 wrote to memory of 2160 2272 IExplorer.exe 35 PID 2272 wrote to memory of 2160 2272 IExplorer.exe 35 PID 2224 wrote to memory of 1400 2224 Tiwi.exe 36 PID 2224 wrote to memory of 1400 2224 Tiwi.exe 36 PID 2224 wrote to memory of 1400 2224 Tiwi.exe 36 PID 2224 wrote to memory of 1400 2224 Tiwi.exe 36 PID 2540 wrote to memory of 2472 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 37 PID 2540 wrote to memory of 2472 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 37 PID 2540 wrote to memory of 2472 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 37 PID 2540 wrote to memory of 2472 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 37 PID 2272 wrote to memory of 3036 2272 IExplorer.exe 38 PID 2272 wrote to memory of 3036 2272 IExplorer.exe 38 PID 2272 wrote to memory of 3036 2272 IExplorer.exe 38 PID 2272 wrote to memory of 3036 2272 IExplorer.exe 38 PID 1992 wrote to memory of 1760 1992 winlogon.exe 39 PID 1992 wrote to memory of 1760 1992 winlogon.exe 39 PID 1992 wrote to memory of 1760 1992 winlogon.exe 39 PID 1992 wrote to memory of 1760 1992 winlogon.exe 39 PID 2540 wrote to memory of 2356 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 41 PID 2540 wrote to memory of 2356 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 41 PID 2540 wrote to memory of 2356 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 41 PID 2540 wrote to memory of 2356 2540 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe 41 PID 2224 wrote to memory of 2988 2224 Tiwi.exe 40 PID 2224 wrote to memory of 2988 2224 Tiwi.exe 40 PID 2224 wrote to memory of 2988 2224 Tiwi.exe 40 PID 2224 wrote to memory of 2988 2224 Tiwi.exe 40 PID 1992 wrote to memory of 2696 1992 winlogon.exe 42 PID 1992 wrote to memory of 2696 1992 winlogon.exe 42 PID 1992 wrote to memory of 2696 1992 winlogon.exe 42 PID 1992 wrote to memory of 2696 1992 winlogon.exe 42 PID 2272 wrote to memory of 2712 2272 IExplorer.exe 43 PID 2272 wrote to memory of 2712 2272 IExplorer.exe 43 PID 2272 wrote to memory of 2712 2272 IExplorer.exe 43 PID 2272 wrote to memory of 2712 2272 IExplorer.exe 43 PID 2224 wrote to memory of 2828 2224 Tiwi.exe 44 PID 2224 wrote to memory of 2828 2224 Tiwi.exe 44 PID 2224 wrote to memory of 2828 2224 Tiwi.exe 44 PID 2224 wrote to memory of 2828 2224 Tiwi.exe 44 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe"C:\Users\Admin\AppData\Local\Temp\0f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224 -
C:\Windows\Notepad.exeNotepad.exe C:\Present.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2068
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2812
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2288 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:500
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2948 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
45KB
MD539567e7ab98b08a80d7d83f8e4348171
SHA167a9bfe84b3fe0201189447d76f1e595639abbf3
SHA2565c7183fe005a9cb318eea52b3a8457c2ee8f000f9f4c7bf3dbf5b1c409b4c93c
SHA5121919b8eac3ad060d8268a6fce9b34c1116219994f0cd21091d2b9ea32f6c77acec9bba00f72917cc3824f1c1d0396bcc00da73808f0bf426e70d1c2204bbf157
-
Filesize
488KB
MD5c5796e66f806bf6e0294d502c4ab11fb
SHA134d84cb102858b31ef979e78815d9396bd92c96b
SHA256a75f55a9752a8bcf7c8da6b0be331351445fc2564c180fce96ca8e7264a7b8fd
SHA512cfe170d741d24dbd1a9253e1e0df1433c18f7665d89b09824ee0b07bbd9adea0529764ff418432131ea205b051f606a3ef210c957fcfea5f57b5214abee8fcff
-
Filesize
488KB
MD537d3a5bd44896806679e9761d931d517
SHA1415c6f59317d1ace1173579319b0922e9cd77093
SHA25696e3685d248dde7cb74a48181ebb6d3c88aef415a1166fe23634b71d829b0971
SHA5129912fb08464a313383adc3269e63b010707adbc9326d601a0bb579a3a575d5a89456ebc7c6af8a3a704c2f434a7e9acaab6986f3b9f7ed7b9b28f465a901c9b2
-
Filesize
488KB
MD5687efb146eed5e76b4a18e88b9f358e4
SHA1bd3522d3198f81b2d968e1be537b334bdeba679a
SHA25651465d223ff76b9d43a0b3655aecdd79c2f8fa15c2fd0001c1244a0309427948
SHA5129d82dd09c890709f0ec21b2d09d016c4472bd7b035ce0acc5e06082e322dd0badacc9dc2d5a417445d07871b67d3b868bc55adbd9bf5b9e2d4d304e0cdca2185
-
Filesize
488KB
MD584462bcbba72b276e1fad85bac452cb9
SHA14173a84243c507f5b19834d570c8446095b7483e
SHA25639db6a80b4732ee193713ccfc2260d3853d51f421e5f16795890bcad646c01bc
SHA512a7be382a25b981c1b03b66e344020dc4cb1959cc46ea3a90163f82956b57c77601b88538fc1060261bfda70a9d725af235492f44e187b336618eeceff03fecf6
-
Filesize
45KB
MD52470de4a1dcc27ef0c111a9be35adb09
SHA1821a541d88cfcd688d2312b36be69d730abbbb51
SHA2563ae3c5131bdb74d18ec1eaddc1e4cd43e621204fb98efaca65597b648dc4c344
SHA512dfa1248d27cae45264ae6133d1f8c7550d55f3ce8938b7b67ebfa81b3f511fde3e8ab3d50037754547d48af44871dd5ec0942d07b7428d58f97618228202131d
-
Filesize
45KB
MD5fea9e6a8fce415dad64dfcbf225e83e5
SHA1ff7f956dfda3c96d4c2ea321ad6eb08eca22ce35
SHA2565ff71daa3a58ffac70c378633ed0a6bbfc2f9475d0c4c0762e4ddfc8fb217202
SHA512256783d6d951ecb3a35b69b380a3d542b2fb30d3740b78a8d5e9a3c35ece6f25e1ddb00040df7061d6c4a54a89bec161a5609a146c6d1da4f0e0ee9761bfe908
-
Filesize
45KB
MD5d86479ed6b35e96e4a23e154172bef87
SHA1adf1e6f6745e2e4575bd9a7b232dd83d0c29ba51
SHA256564e3692f878b319cfd135083ab424a9a81d9bac3f8a60da57fbf5a092b9123b
SHA512d3cdfc4218750b577da976399086d362d3883e714fdea37facbfb02dd5dc3a46e5cd97cfd6a22730199a40b6d060624689cb0a30a9c37e36c3af8ab271a0d4d1
-
Filesize
488KB
MD596f629898fa60059fbb39a501e7ce454
SHA130712506bf866ce5f18f2e93794836ee1f6206f9
SHA256ba33eba864445033da30f74144b086487b0605e0192a5d9614152467e8fbac56
SHA51249bee79092cc525e04f252e49bcc5cb39e01c54bf253ddabe52cf7fd2c9f3d9c3738d78a921648c234dedf6a2cc31f2db93716b0715da287d721f49fbdba347d
-
Filesize
488KB
MD5b45fc62150cb8c3b9db3f0989e89629e
SHA121674144d0bb72191d7fa4d1ce6b1a5bdb5c0211
SHA256bcc3d40237127d3afffe5fec94a8a5d1b820e1c2d601cb7db7f8bd933524ac9f
SHA512b82e0887b5ef6fb3d17662e7f118ec82813855ef388bb5f90ff0810f4894b0254f7c0e3aa2082df5554cd5e4bb4a432987e3c77c49c13ff59efef696ab547cb8
-
Filesize
488KB
MD59eb64b5eef1ede93aada3cc040c4c702
SHA1dad97e6b2c8a23d20354f613155ea4bd43d17a50
SHA256f0f7f18fa188dd84a294aa22ac0b8f679eb30e291047a8a7c7b604b1c2e070d1
SHA512a410a08922e9443d5cafa4d4816d73ee64a0f4c6d48047adf023dff6a9180a4aadcc75f56ca56f22f9560bb6f07aa67177ca18fa81d38c9686894f98e7d23872
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
488KB
MD5a17cf39d53dfae6c64c939a16fb6eb43
SHA1547b97a110c5117c0e41c36520d080f759401063
SHA256c6bf0ec032d1ee25b51a75edb7dc8fd47ffa08e6ba57e7b1faa8337b53faa30c
SHA512e232952d54ec3653de4ff1afad5aa658342a14ad62ba89ec06bd30781df471faee313d55b595ae615226d1965f950bd23e074c2f285279fb04434f923ba0d770
-
Filesize
488KB
MD5c0f836db916b28dde4107afe29540d6b
SHA1c0984e5467a7414ea97a93ea836a25a0adf42244
SHA25699a25841823a50d092945d7f26fc22672b248fdcaea627a910d38d09ca037ea8
SHA512d49b1c68e0eec6ea294dbc732076bfbf0be282e6a81bc3f287256a11a00e92034f4689144948fdd6c60bd921fab4dd224e47774e4d956425483feda28c9d6b89
-
Filesize
488KB
MD51cb6599d499046914145363734d37450
SHA1a41ff53d0cda57de3caa7d0c4aa25b422498c0e3
SHA2560f3e338fb27e08a0b3c404f4635722047235bef8ac1d7adb8967942891195400
SHA51250fb387b5f1c542844e884d73521d18d0da8ee91672704d4deec09c2e80be5abd85e8b8540937e26da9a3ebba0c11e474bbb8b1b85705ed5df58fb725f5f36c7
-
Filesize
488KB
MD52f3d82aec15be2656075dcf301f31de0
SHA15c186191c77abd64d310afd0eed05bd87599365a
SHA25639553a6ece36262d4784d4df12f9b69f9ad93cad8214ed1e7913e3e771d3580e
SHA512ec3f7e5be9b6ffa4551de9c1118a949506f197449489aa7e4401f7355206a47fd8d0037b0a6476ae3fe5be48440cb40536948c019f135538633cb9b159be0a39
-
Filesize
488KB
MD568525281db218bdd8f71104fe2ebb1f6
SHA142d4687f1876578f23a16fdf41ad97879b480de0
SHA2568e1397ac125eca0479c78fe0f52cef534810cc7c835aa10bf3a9ff6f8404dc46
SHA5125c25220486d3e012e8d030a6686c5f5bb0cebcdda7524cb64e2097607d8e9cb4d04f2fd28ee592185e3a17903f513bef09f5dfffed6ecbaf5f3cee851831b420
-
Filesize
488KB
MD5661456e51fd80d4127660b67aae762ef
SHA1f86226c1855c670bf5ce846995297d75bb5c0fb5
SHA25629b1cdd4f5fecaf1f44b21d38b2139ed77cfec41872c9605f62269dd4efeb79e
SHA512e961601ae64bc1759fb76b25770ef3aac4123e2386b065ead238dc86a56c22d07beb9737c56eeeb8614c09c4f01fa744e04e0e1a211c77d6cabe86630d502216
-
Filesize
488KB
MD59cd8282436f047ae2af75c38c5cb520b
SHA1baf0b0d4e93bcb60c47dfcde5334f50d025a5644
SHA256e28a14727a225ebf526efd5549b3bc857a99bebee5415930d6b27ea0debb2dba
SHA512ca9874dc8d889756ea3cb0bc67e521797ca4bff36e3a2f93c1299d66d81dcbbd38339512c55b8869bfa101a93b09cb72715a3d02c3ec6581754f9ff308956bc5
-
Filesize
488KB
MD5198bde1d0db258224b50f4ba17fba0dd
SHA119b1aaa680eb085018a726b83a0c175afb0737f0
SHA2563753740ebc5dc22616cecf01b1becb8fd744d0b2aaa1fb3707bd418a9d0b323b
SHA5124732eadbfd9439a4834da541567fa8de3eee0813e0809c4b6b9be35683a7be080ee166a9ff8cb3dcbed5ec5257a9c4d61a5960c88a25e5401604c9e4dcb9986d
-
Filesize
488KB
MD5d63d5537df7cf9671b26e4523a800ab3
SHA14dc9fc2a6970bdd39b889e801781da691ca84c1e
SHA25626683ae91efafc5f2449cde293f506bde8e64578839d6712f5d6a0db82ab95d2
SHA5127951bdf8b88209974987df3025b4d3a2f86387b76061b10c87979d2989114f06731bad1bf389ad65c8a26d1308f3441a51b5ed0b5c304ef7f51ef0c1ffda57b2
-
Filesize
488KB
MD5b113cfcfb420bca834d7159e1e36f507
SHA1e38a801e07f9be214f637ff009b6d4f2a18bc739
SHA256ce7e660fb06e01449a37fbe46ccdefa5058d75e08e7717fc2e23589b747aa5b1
SHA512d7b56f1defe8c37eaec508d508385d7cce1899277f0d919d25bc0eda5419c212104da43886e84edf9eedd780e2853018c11aef46ce3cb36e04d71de704919e28
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
488KB
MD5d456560ba13e6f1da5f4b5d56153f5e1
SHA173e11d31ce22957ad8baaf39045ff4862301c667
SHA256edb89961d8bc3c2f5d5fbe1ee5e181bdbaf10e9c4a037ce1b73428070e5074a6
SHA512995871d21dcb04e8071523759b66559c55bbb32a18da22ecce0ccf9cff188906598d7ad23a67e3c2c96dae86f9e3df351747df177c23ea3e8ab3cdca6d6c69c7
-
Filesize
488KB
MD5f043081ec0e51fa7a478d11633e5e2b5
SHA1548d6177d988a99bc09df5d7f958578f31318bc3
SHA2565f969f36b31fe72313c10311f0a71d2d0917ab0af743a5317217e9ba95262a7c
SHA5125740430b6cfc9373ff20e8a636f754178538f1a2a7a86e8493f2216fcb6b592fbfc88d50d592e59d18ff6be1fdf6b7580c614f699530ce66c31bd56da8604251