Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 11:00
Static task
static1
Behavioral task
behavioral1
Sample
7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe
Resource
win10v2004-20241007-en
General
-
Target
7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe
-
Size
91KB
-
MD5
685403cb101fb109846fc08743c34d9e
-
SHA1
308996254958dbb83bc768873dec55f7323fb35d
-
SHA256
7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d
-
SHA512
54235ae168dfd55721032f049eb876d004e1f4ea7704a99be46cd0754f6bac8da0b9adbe6598d873c4501bd6599a2812ec82688468dd6ce0c647e5b2bc44f8b6
-
SSDEEP
1536:IFAutcCNS1mgnd2y1nrPlGiCcCBEulwhFAutcCNS1mgnd2y1nrPlGiCcCBEulwu:IpWC4YgBPlGiyllOpWC4YgBPlGiylll
Malware Config
Extracted
gozi
Signatures
-
Gozi family
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2556 Tiwi.exe 2268 IExplorer.exe 1640 winlogon.exe 1476 imoet.exe 1208 cute.exe 288 Tiwi.exe 2632 Tiwi.exe 1936 IExplorer.exe 1520 winlogon.exe 1464 IExplorer.exe 2692 Tiwi.exe 1596 imoet.exe 884 winlogon.exe 2344 Tiwi.exe 2392 IExplorer.exe 1648 cute.exe 2956 Tiwi.exe 2952 imoet.exe 2792 IExplorer.exe 2744 Tiwi.exe 2860 winlogon.exe 2352 IExplorer.exe 1808 IExplorer.exe 2100 winlogon.exe 3032 cute.exe 2152 imoet.exe 2200 winlogon.exe 2656 imoet.exe 2020 imoet.exe 2288 winlogon.exe 2512 cute.exe 2084 imoet.exe 1956 cute.exe 2500 cute.exe 2300 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 2556 Tiwi.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 2556 Tiwi.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 2268 IExplorer.exe 2268 IExplorer.exe 2556 Tiwi.exe 2556 Tiwi.exe 2556 Tiwi.exe 2556 Tiwi.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 1640 winlogon.exe 2268 IExplorer.exe 2268 IExplorer.exe 1640 winlogon.exe 1208 cute.exe 1640 winlogon.exe 1208 cute.exe 1476 imoet.exe 1476 imoet.exe 2268 IExplorer.exe 2268 IExplorer.exe 2556 Tiwi.exe 2556 Tiwi.exe 1640 winlogon.exe 1640 winlogon.exe 1208 cute.exe 1208 cute.exe 1476 imoet.exe 1476 imoet.exe 1208 cute.exe 1208 cute.exe 1476 imoet.exe 2268 IExplorer.exe 2268 IExplorer.exe 1208 cute.exe 1476 imoet.exe 1476 imoet.exe 1640 winlogon.exe 1640 winlogon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\W: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\Z: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\S: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\P: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\Q: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\N: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\B: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\L: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\G: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\M: 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\M: Tiwi.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened for modification F:\autorun.inf 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\autorun.inf 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened for modification C:\autorun.inf 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ cute.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2556 Tiwi.exe 1476 imoet.exe 1640 winlogon.exe 2268 IExplorer.exe 1208 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 2556 Tiwi.exe 2268 IExplorer.exe 1640 winlogon.exe 1476 imoet.exe 1208 cute.exe 288 Tiwi.exe 2632 Tiwi.exe 1936 IExplorer.exe 1520 winlogon.exe 1464 IExplorer.exe 2692 Tiwi.exe 1596 imoet.exe 884 winlogon.exe 2344 Tiwi.exe 2392 IExplorer.exe 1648 cute.exe 2956 Tiwi.exe 2952 imoet.exe 2860 winlogon.exe 2744 Tiwi.exe 2792 IExplorer.exe 2100 winlogon.exe 2352 IExplorer.exe 1808 IExplorer.exe 2200 winlogon.exe 3032 cute.exe 2288 winlogon.exe 2152 imoet.exe 2020 imoet.exe 2656 imoet.exe 2512 cute.exe 2084 imoet.exe 2500 cute.exe 1956 cute.exe 2300 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2556 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 30 PID 1820 wrote to memory of 2556 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 30 PID 1820 wrote to memory of 2556 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 30 PID 1820 wrote to memory of 2556 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 30 PID 1820 wrote to memory of 2268 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 31 PID 1820 wrote to memory of 2268 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 31 PID 1820 wrote to memory of 2268 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 31 PID 1820 wrote to memory of 2268 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 31 PID 1820 wrote to memory of 1640 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 32 PID 1820 wrote to memory of 1640 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 32 PID 1820 wrote to memory of 1640 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 32 PID 1820 wrote to memory of 1640 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 32 PID 1820 wrote to memory of 1476 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 33 PID 1820 wrote to memory of 1476 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 33 PID 1820 wrote to memory of 1476 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 33 PID 1820 wrote to memory of 1476 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 33 PID 1820 wrote to memory of 1208 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 34 PID 1820 wrote to memory of 1208 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 34 PID 1820 wrote to memory of 1208 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 34 PID 1820 wrote to memory of 1208 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 34 PID 1820 wrote to memory of 288 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 35 PID 1820 wrote to memory of 288 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 35 PID 1820 wrote to memory of 288 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 35 PID 1820 wrote to memory of 288 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 35 PID 1820 wrote to memory of 1936 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 36 PID 1820 wrote to memory of 1936 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 36 PID 1820 wrote to memory of 1936 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 36 PID 1820 wrote to memory of 1936 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 36 PID 2556 wrote to memory of 2632 2556 Tiwi.exe 37 PID 2556 wrote to memory of 2632 2556 Tiwi.exe 37 PID 2556 wrote to memory of 2632 2556 Tiwi.exe 37 PID 2556 wrote to memory of 2632 2556 Tiwi.exe 37 PID 1820 wrote to memory of 1520 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 39 PID 1820 wrote to memory of 1520 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 39 PID 1820 wrote to memory of 1520 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 39 PID 1820 wrote to memory of 1520 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 39 PID 2556 wrote to memory of 1464 2556 Tiwi.exe 38 PID 2556 wrote to memory of 1464 2556 Tiwi.exe 38 PID 2556 wrote to memory of 1464 2556 Tiwi.exe 38 PID 2556 wrote to memory of 1464 2556 Tiwi.exe 38 PID 1820 wrote to memory of 1596 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 40 PID 1820 wrote to memory of 1596 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 40 PID 1820 wrote to memory of 1596 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 40 PID 1820 wrote to memory of 1596 1820 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe 40 PID 2268 wrote to memory of 2692 2268 IExplorer.exe 41 PID 2268 wrote to memory of 2692 2268 IExplorer.exe 41 PID 2268 wrote to memory of 2692 2268 IExplorer.exe 41 PID 2268 wrote to memory of 2692 2268 IExplorer.exe 41 PID 2268 wrote to memory of 2392 2268 IExplorer.exe 42 PID 2268 wrote to memory of 2392 2268 IExplorer.exe 42 PID 2268 wrote to memory of 2392 2268 IExplorer.exe 42 PID 2268 wrote to memory of 2392 2268 IExplorer.exe 42 PID 2556 wrote to memory of 884 2556 Tiwi.exe 43 PID 2556 wrote to memory of 884 2556 Tiwi.exe 43 PID 2556 wrote to memory of 884 2556 Tiwi.exe 43 PID 2556 wrote to memory of 884 2556 Tiwi.exe 43 PID 1476 wrote to memory of 2956 1476 imoet.exe 44 PID 1476 wrote to memory of 2956 1476 imoet.exe 44 PID 1476 wrote to memory of 2956 1476 imoet.exe 44 PID 1476 wrote to memory of 2956 1476 imoet.exe 44 PID 1640 wrote to memory of 2344 1640 winlogon.exe 45 PID 1640 wrote to memory of 2344 1640 winlogon.exe 45 PID 1640 wrote to memory of 2344 1640 winlogon.exe 45 PID 1640 wrote to memory of 2344 1640 winlogon.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe"C:\Users\Admin\AppData\Local\Temp\7c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2268 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1476 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2288
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1208 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:288
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD56276a658a1d5ddcd7a3c5816c2cd6187
SHA175963e754c5e705a2fd6529fe7b44c8db81517fd
SHA2562d7422c3c5b1f5f2838486e837c6d39ab98a078d7b6ecf3eee5ed3cfbf997b8a
SHA512c268867905cd78be2b72d3c193a96e96d35ad6fe7b0916a00ac0525214461466062ea8878e1d55cc659191e649c29cb325f8a8dc877725646e9a27cc24893442
-
Filesize
45KB
MD5ddd7093039e40b095b02e0d4d4a5afd3
SHA1496b292f74d288a406add7af6865620e924d5edf
SHA25699d546ec5220a261ed18166943ca486a24aa9021f22bc7024b8f1c98d9616265
SHA5129fed7802de0b58113573f8817a95264ddd7ddbe32531a904105a5cba0329a8bd31e2a4e430e43ad70a580240626dd75a73701c22d4c815543c87cc5a529835eb
-
Filesize
45KB
MD52c3f250ee2335f981d08ab0ee7ed78cb
SHA1c6c1873cfb0c477a11047a2d7a8d70347686e67f
SHA2560c14308483cc46cfa8f29645530b97c2cf471932fed81c927a3d86a950571800
SHA512ad1c50deec00f5cc2ba03602528f55833eada3f7fc25328c3ed741b722fd8909959ffb54a4c9706a5a1c64d951089774915abd1c59d55c09f09383ab07ace0ed
-
Filesize
45KB
MD596d33e2696a9572364e91b5ad6947671
SHA1cd1be159f3712ad763466c26c1e2dadae5e8dcf0
SHA256589b9f3ad976cbc132b701bc7b4d5eba21fbae3c494a776f113c7c9184fecfcb
SHA51269684dc8c774d5fdec99dbe60bcb5bd958955fb5c87a90801cf868326df1d50fe976e945a14c7b1a6acb1f15dcc6ff26082b2eeb3d2c0680b4129b8a792c2c89
-
Filesize
45KB
MD51fbaba02791edcbacf21a66ed814bf34
SHA1ce733634a5a84f84f80f2b33278adbf066c3c648
SHA2565747c7fd09f19d95db1157bcfd4732b9dfc0538a6a0f7629adf25acdf90729b7
SHA51221a0690de2a71a6c11f2fe3d2501755167ebdc4ed5c25272385488f9cb19739a5dc767119b95df5513a64647b5fa412be4c06e9d66e512933a9892fe20314b49
-
Filesize
91KB
MD57bcad44b4eab8e41777aef15836d7fcd
SHA14057437cd37cae68c23d0c2513c298d6a8f3137f
SHA25600396309fd00691b1b39456e07dc1a2a4fa72f83141b26061432d2767de41305
SHA5126c0eda11471bbf479441c31dd6b20a187a4466765b90679c1583b6c317c58e4be7b0c93f7a6d8326e0e6add1ccfd8f5f2f3fb962ed16c3ccb702c63fbb558849
-
Filesize
91KB
MD598770412a56e104ddfb87ae6340b1093
SHA14b60ecf99f45e1fd07adf47f3b4e05ade8abe097
SHA256973cfb62fa06d8df693284dbf4130638dc1defc14c535cb11a45880f0584c1af
SHA512a84524dbce338197bf0067f656c1dccd51f94ae64ea4e12f64a8ed4b781e380828e56e2ec45cbd7fdd797d4b6c402085148c268a4ec328b89faa7a4bca907660
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
91KB
MD5334731784ee0ecfbe313131c7d4f82fa
SHA13d887de450ea563f8cda61de122b30ec2639134d
SHA25691d740d267ce3de2f8313ad243e65a34ceced27537018124e41d239ad189788a
SHA5121ee44a36f587f806309aa73bca072b5daaaa0f1bed208c81eee15d1ac1cfb4b450c3288a2dabd807cab594d977b27c8fc26f6dcfa0be40cdb11a6576d282a4ba
-
Filesize
91KB
MD5685403cb101fb109846fc08743c34d9e
SHA1308996254958dbb83bc768873dec55f7323fb35d
SHA2567c7ba94281aff39ec4a493575e394d76f3f198d6ecba8cc4457d41d0da8e340d
SHA51254235ae168dfd55721032f049eb876d004e1f4ea7704a99be46cd0754f6bac8da0b9adbe6598d873c4501bd6599a2812ec82688468dd6ce0c647e5b2bc44f8b6
-
Filesize
91KB
MD578d97ae526ad275331cd73401c322ca7
SHA1c3f1af8d4510abdbc821deec68d72b97c58804c1
SHA256ee76ee54808f1b57a9bf7f2cb44572c1e875d028dc806dbb749bdf58f12541de
SHA512141dcb8c6c8303ad5934cb642213125426dd88c7adc8d83d92ee22a327482401cf2459578fe3100c391808f8271b6ed07398b561372be70c7d6cfcb48d70b77c
-
Filesize
91KB
MD56537f50e383a4088fcfd5959e9af0fd0
SHA1e4b42e64831cd1ecbc31b7a7a46d86af698d57c3
SHA256c79e74521c3eb3bf67ee5d948be7ce8437e0ec543c93b62a652c9e5b6df0ca5b
SHA512cc1dc4b3ac490d71fbe5a3e656a73b6d43952fb177aff57b62273ef17bf74667ebbccc35d174e50c930d81ef154a091c45961324bd00bc3bf76a037bdc8b8b48
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
91KB
MD5fd1df0aeefedf3110c5217306241c0d6
SHA1a690e4cc38e2346b090210d8357a65b057a65b2a
SHA256ffea178baf3519beba99dcc8c21a52758f0b0f6fd7f4e06378b4dbeb05982a0a
SHA5126d25e09de8f5370d14156cf0d9f20350355e727a7827293ed37de2b8c1d863ce679f4c0cc63d7c49624219a4a50f0539273ec8836c17e2841d727be55c2f1de3
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
91KB
MD57c7e30156b3f12e26a8e3634583ac9bd
SHA1983a1be7c6e748034259c480050a299d9488dfc8
SHA256f5941b4e79274501ffdde6d10c14a4083707d9288e145e8d403d5c47b1fdcd3e
SHA512ba71020b5294124a0bf39aa40b9d82cc36498642495b972510364cf1e28feffcfe0a77c57beb60a81bc58d4cb461c5d5a55cf5af3db4e3008116255fb013f681
-
Filesize
91KB
MD5b41f66adcd8c6e9e9c62954f0ac027a7
SHA1107227a9684feaec0ccd6d5b2adff8962df0171b
SHA256249c5f0328da33dc98d62d5c5234e0aeec1cbdad8cd2d9b970d7e39afc926e8e
SHA5126374d2faceb4c8ee41399f683741ad19a0c8b985d0b0d8021769dd68c7e036741fb10b9a1ea0382b1663537f2528f1eb679006a2829873e7507346f7894554b4
-
Filesize
91KB
MD5254f1e6a26e7d3580fb663d6420f7a43
SHA191d8968a98855046e1bb2a6b8818f276b0fd1d33
SHA256ca0421eb5e367302d5be392d1a89d0735612981ad2cd44ea3ef822d7d21c8f34
SHA51283fb7b8d2783c67fa198a853e427c78f931750cbe98bcf5ae60a026826b06f4c56c8ad1feba1b415219fb5070a3923a75985f60892435a4ffc736eb6f39b06bd