Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
Resource
win10v2004-20241007-en
General
-
Target
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
-
Size
384KB
-
MD5
2b9ffc7e6cd8b47925aea8d5bdcb6d00
-
SHA1
ed9bbedb791fad104e93a47ff059f0b1efbfadaa
-
SHA256
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
-
SHA512
78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69
-
SSDEEP
6144:V/OZplx/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/Mx/MP/Mx/M7/Mx/M4/MpBE/h
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2588 Tiwi.exe 3044 IExplorer.exe 688 winlogon.exe 2024 Tiwi.exe 3024 IExplorer.exe 2984 Tiwi.exe 892 IExplorer.exe 2464 Tiwi.exe 1536 winlogon.exe 2192 Tiwi.exe 3016 IExplorer.exe 1580 winlogon.exe 548 IExplorer.exe 2100 imoet.exe 2148 imoet.exe 2240 winlogon.exe 1804 cute.exe 2692 imoet.exe 2724 winlogon.exe 2844 cute.exe 2880 imoet.exe 2836 cute.exe 2932 imoet.exe 2660 Tiwi.exe 672 cute.exe 1832 IExplorer.exe 2648 cute.exe 1636 Tiwi.exe 1056 winlogon.exe 580 IExplorer.exe 2032 winlogon.exe 1900 imoet.exe 2924 cute.exe 2804 imoet.exe 2024 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 2588 Tiwi.exe 2588 Tiwi.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 3044 IExplorer.exe 3044 IExplorer.exe 2588 Tiwi.exe 688 winlogon.exe 2588 Tiwi.exe 688 winlogon.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 2588 Tiwi.exe 2588 Tiwi.exe 3044 IExplorer.exe 3044 IExplorer.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 3044 IExplorer.exe 3044 IExplorer.exe 688 winlogon.exe 2588 Tiwi.exe 2588 Tiwi.exe 688 winlogon.exe 688 winlogon.exe 3044 IExplorer.exe 3044 IExplorer.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 2100 imoet.exe 688 winlogon.exe 688 winlogon.exe 2100 imoet.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 2100 imoet.exe 2100 imoet.exe 1804 cute.exe 1804 cute.exe 1804 cute.exe 1804 cute.exe 2100 imoet.exe 2100 imoet.exe 2100 imoet.exe 1804 cute.exe 1804 cute.exe 1804 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\Q: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\X: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\G: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\X: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\T: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\H: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\I: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\U: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\B: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\L: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\S: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\W: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\B: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created F:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification F:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\tiwi.scr 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2588 Tiwi.exe 2100 imoet.exe 688 winlogon.exe 3044 IExplorer.exe 1804 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 2588 Tiwi.exe 3044 IExplorer.exe 688 winlogon.exe 2024 Tiwi.exe 2984 Tiwi.exe 3024 IExplorer.exe 2464 Tiwi.exe 892 IExplorer.exe 2192 Tiwi.exe 1536 winlogon.exe 1580 winlogon.exe 3016 IExplorer.exe 2100 imoet.exe 2240 winlogon.exe 548 IExplorer.exe 2148 imoet.exe 1804 cute.exe 2724 winlogon.exe 2692 imoet.exe 2844 cute.exe 2836 cute.exe 2660 Tiwi.exe 2880 imoet.exe 672 cute.exe 2932 imoet.exe 1832 IExplorer.exe 1636 Tiwi.exe 1056 winlogon.exe 2648 cute.exe 580 IExplorer.exe 1900 imoet.exe 2032 winlogon.exe 2924 cute.exe 2804 imoet.exe 2024 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 2588 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 30 PID 1788 wrote to memory of 2588 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 30 PID 1788 wrote to memory of 2588 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 30 PID 1788 wrote to memory of 2588 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 30 PID 1788 wrote to memory of 3044 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 31 PID 1788 wrote to memory of 3044 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 31 PID 1788 wrote to memory of 3044 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 31 PID 1788 wrote to memory of 3044 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 31 PID 1788 wrote to memory of 688 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 32 PID 1788 wrote to memory of 688 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 32 PID 1788 wrote to memory of 688 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 32 PID 1788 wrote to memory of 688 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 32 PID 1788 wrote to memory of 2024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 33 PID 1788 wrote to memory of 2024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 33 PID 1788 wrote to memory of 2024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 33 PID 1788 wrote to memory of 2024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 33 PID 1788 wrote to memory of 3024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 34 PID 1788 wrote to memory of 3024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 34 PID 1788 wrote to memory of 3024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 34 PID 1788 wrote to memory of 3024 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 34 PID 2588 wrote to memory of 2984 2588 Tiwi.exe 35 PID 2588 wrote to memory of 2984 2588 Tiwi.exe 35 PID 2588 wrote to memory of 2984 2588 Tiwi.exe 35 PID 2588 wrote to memory of 2984 2588 Tiwi.exe 35 PID 2588 wrote to memory of 892 2588 Tiwi.exe 36 PID 2588 wrote to memory of 892 2588 Tiwi.exe 36 PID 2588 wrote to memory of 892 2588 Tiwi.exe 36 PID 2588 wrote to memory of 892 2588 Tiwi.exe 36 PID 3044 wrote to memory of 2464 3044 IExplorer.exe 37 PID 3044 wrote to memory of 2464 3044 IExplorer.exe 37 PID 3044 wrote to memory of 2464 3044 IExplorer.exe 37 PID 3044 wrote to memory of 2464 3044 IExplorer.exe 37 PID 1788 wrote to memory of 1536 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 38 PID 1788 wrote to memory of 1536 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 38 PID 1788 wrote to memory of 1536 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 38 PID 1788 wrote to memory of 1536 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 38 PID 688 wrote to memory of 2192 688 winlogon.exe 39 PID 688 wrote to memory of 2192 688 winlogon.exe 39 PID 688 wrote to memory of 2192 688 winlogon.exe 39 PID 688 wrote to memory of 2192 688 winlogon.exe 39 PID 3044 wrote to memory of 3016 3044 IExplorer.exe 40 PID 3044 wrote to memory of 3016 3044 IExplorer.exe 40 PID 3044 wrote to memory of 3016 3044 IExplorer.exe 40 PID 3044 wrote to memory of 3016 3044 IExplorer.exe 40 PID 2588 wrote to memory of 1580 2588 Tiwi.exe 41 PID 2588 wrote to memory of 1580 2588 Tiwi.exe 41 PID 2588 wrote to memory of 1580 2588 Tiwi.exe 41 PID 2588 wrote to memory of 1580 2588 Tiwi.exe 41 PID 688 wrote to memory of 548 688 winlogon.exe 42 PID 688 wrote to memory of 548 688 winlogon.exe 42 PID 688 wrote to memory of 548 688 winlogon.exe 42 PID 688 wrote to memory of 548 688 winlogon.exe 42 PID 1788 wrote to memory of 2100 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 43 PID 1788 wrote to memory of 2100 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 43 PID 1788 wrote to memory of 2100 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 43 PID 1788 wrote to memory of 2100 1788 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 43 PID 2588 wrote to memory of 2148 2588 Tiwi.exe 44 PID 2588 wrote to memory of 2148 2588 Tiwi.exe 44 PID 2588 wrote to memory of 2148 2588 Tiwi.exe 44 PID 2588 wrote to memory of 2148 2588 Tiwi.exe 44 PID 3044 wrote to memory of 2240 3044 IExplorer.exe 45 PID 3044 wrote to memory of 2240 3044 IExplorer.exe 45 PID 3044 wrote to memory of 2240 3044 IExplorer.exe 45 PID 3044 wrote to memory of 2240 3044 IExplorer.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3044 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:688 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:548
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:672
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2100 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1804 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b4f12dfe876d5505f76e24ca9189fa88
SHA1697c3acbf7e8261ec8487748e78f08fd9ab4bb63
SHA256355fb78238f3eb1ae4b45c74ec061d765a9fdeded0b19844884ee22395ed7178
SHA512310b0af1050b2a8785d3998ca0890b10b82a3432d5158966a3772320ee4b84f8b2090ff230b2e5932723a6cbeb603e8c35ccd7af0ea090fe4797d37bd3cd1526
-
Filesize
384KB
MD5ce9daa21a6df6e3c1bd6322342688d1b
SHA1076328a1d5321fb00ca5c69fddb8b57a49774daa
SHA256e5098c0a286e0407c9e3a00f923dcde148624be116e85c0c4e3536046c443053
SHA51212ceab5852e20619cd8fbfb4a0ab6cb5744b4e5e99b4d79c6fbb5cd7dab3579d68c19d8dc91f33aea5c389be6f1f9dfb7f262f38848c55b09b074681c2411256
-
Filesize
384KB
MD5a002c235ccb44bc08be7cadbf84473cf
SHA1c3ab3a8abb62de2bcad645d0df85fecb5ff1a21c
SHA25632191310cbed9022d12dad8974bc7a175ee44d6526f38d297b840f00ff941608
SHA512506d480beacaba882bf2886f33b7f660070070c7ba74b5fb600c44f22913aba1e81c296eea9a1639d0e4a7c045d3c12b3754b7619817e42f1a560795ebba1e33
-
Filesize
384KB
MD5c3dc22341751bff440fd20436ce14273
SHA15f3240138e77bbf1578a8f1290e0efe41bec38d9
SHA256554bd5883223e0c1eab19a9552250ca0cb48b81e6aab63a63ac468249cb702ee
SHA512d0994f8b87c09e10743c33872f5661641e9d7832f921768acf6f7c1c1e911194d4c2ef0d5d597a0a79b01fcf0570c9afba6c047dd7146201725ffb77fe06ce16
-
Filesize
384KB
MD5d84682b3b2b515e7b9c1ccd4f1bdee58
SHA165b3edbd499e0cb31994b92d33709895441830e0
SHA256adf13f9818a6aab59fb06c1b1aa30b4fa7d845673445fea60c3f268f5bbc69a7
SHA512eb8ebd94a2adadca5132308fc6ec2664fc6a4f18cb99d3738ab9dd385cad409a38d76051db1a498ffe538b428a9797a089f950abbd31ce3efc8630d9e6ac7f5c
-
Filesize
384KB
MD5d2cc5468cab3525d05dd7fed448dff23
SHA178a023d6e3a880ca7224f2ac09909092e6820348
SHA256f7a1f0290b75d1a60aebe7f4db30ed1e0cb530a2a7e9ca279b15fa26876d250e
SHA51219ca710095bddd11c64240d91abcfad4633743333d72ca1dbbb1dac9727374c03c8ad6759bd752e66419c2c84b6d2dc560e7724dfcb30449537ec3ef45048c45
-
Filesize
384KB
MD5b393b949aa4ce54beb154e5ecdc45a0b
SHA1197d7bd94bfb3bb7be0fa200bdd7ecfcdad5d575
SHA256c100e062aa405ba9e9c013446fb3946d4aa6e86bef4c8d23f407536aa183b96c
SHA5125ee04a7516f843ea01f6168b7c9b73083470218dde3a7b14574694d09ae69178fc005a89f7f47b8f3e45a2926651e70af105cfc6c43ffbae87a8e3f3a9b75108
-
Filesize
45KB
MD5e0f006a7348bf3184ca33d694d98c338
SHA13ce38e16355f8863be1e70e851b2df12cf22079c
SHA2565f711e45b3d73e037cc14dce6780f9a8b91651d0d30706fad0b042e17d3dd029
SHA5120bacabbcf72fc2bae1bff1dc1ff822ee7039a974185ed394b28caa1c6c845335569add8e69d22b1281cff2463ccdbe8ea0b1adfd3a4a7389a70ec7bb8ac14f92
-
Filesize
45KB
MD58e426434b0eaafbcc223e13b3353dab6
SHA14587fbd362ac9db17c14ced825c846b6f1ec4d6b
SHA25601b0520058443e0db4d811ab125f6b6d5d18a48464de65b0656a141182fb39a4
SHA5120a8cc0ddf4a6b0b7683819b5ca981a0d8468092f9b0aa1e3388cd18ab9cb45744fe9cef3fe72149752f17fb2161473f72c6875490bbea4b51f20e2c44d86f8f4
-
Filesize
45KB
MD5d5da6827c5511adc8803536b1faf4bb2
SHA1a0f6c07959cc45a9db73d470e85556210441ffed
SHA256c1da4619fcd491be49ef82ec2626c54990554dd07d48496094e5269062d32e0a
SHA512f4009f505ab3c1c9852c94c966f7e5943ee31d89d4f9d6cc7dc37e9e7e1c26330d353197c1d8b34b015d123c81ab4e7b93e74dee9203d46e264807ae31f350e3
-
Filesize
384KB
MD53a0757d322b78eecc778c09245928128
SHA1805af3f2d0656890e5550fa3b7a65db96be199db
SHA256629cb5ee62ab19502213a6236a4a9a3ce850f53efe95986407704cd1401aa715
SHA5122ffb6e8acdd3603bc977f4dd5463f2c36e09001c6a49afe308e306553b638bd423caa07bcc724e189c0bfff66d2e2290456689e6f449765140ee8c4c22ca2152
-
Filesize
384KB
MD584ba30f8a58c42a103200d1f1b56baff
SHA1f0e5b1cab348ce438cc85edf0b9a04967613cf97
SHA25610cab6c23606463610b9977388c553b60cc7f0fd9bfbe7c82ad4de84beb4d43b
SHA5120ee8964f2afadf9f170dfbdafb0785ba77f5792f76f7565281ff7832f4b4896a93febb04197876a0b47972c571f766f6e3a96835a7828fdacb22e5f4841ba4bc
-
Filesize
384KB
MD5315fe02a16f36b48b2dcba879c35d87a
SHA18a648020f887290f81d392311cfea094348456ef
SHA2563abdaede55e8ab12de8b8d88255c0917f46e4f6d7bf44090f5b064c3f146decb
SHA5129f0962abd8307c6bd42bfa4df7559d9bdfe99693d12be8401b63a599720542e6ad69d7c27bc12a70fca55f461caa69f840feacf924a0b4529d30b5c4fcf6d3fd
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
384KB
MD5655a71d6e2d950c3cf12c3b773ddd865
SHA1921a47bb2f52ef8a0d4172788ef8bfa70f806d47
SHA256b8c8cd83fabd18c3162351789f64a21c63eaf2bec67d39b53cf88bb5ad965ccf
SHA512adf8ec7a576ec2c8f462132b0293a0137a4936d5aa0cd5787df61401bb5844aec7a25502b4b7c61bbdf2cfef13f460d01aec17f9dad0695659d3069f10e933ea
-
Filesize
384KB
MD594cf3dc2ffdedc8fbff6e083db03ae4a
SHA1f83b50ad2dd71ae42755d9db3e97984df93f55b9
SHA256977842b31c7e05be0145e09973773f01ee130a28f8e4e7d25253af9d2e832680
SHA51283757f3fc2fb845486b7d14c617f7d99fbf23cc4d6168a5565bf365703316ee4beb2d1fe869887ad3077eeb3c075e114bba2f5304892226cf965962affc568b5
-
Filesize
384KB
MD5713d08f6f4237defefcc9fff91205b87
SHA17f262d094edd58745b847a9b15ecd8d010928368
SHA256f4c622a2c7f4d2b945c7bdfc2b1139d51920d7002c6e97de01e2cc26efc2bbe7
SHA512691f7541de129607332f1c028834037a69f31a0056b5697d76bf39d70172f1aa6333d1dd4bdd029f8d8f44656216bda50b96441f85252e15a3f339983c5b1a36
-
Filesize
384KB
MD56aaa65b7dec7101785105fcf87ceaf60
SHA1dab622d4d304dbefd1167b048db2b0358009ae65
SHA256f87956ac1dfc5b650c95cbcb267d9933dc090b78dcc620df7d589850c059a881
SHA51289ce2df553b61787e07d66535406f0397766d4477b1dd8e134b22f8c4560f6923b1cb7dc7a6aabdc0042aabc9979f15d7098216b579ac4d00fe8aa69e2da9839
-
Filesize
384KB
MD52b9ffc7e6cd8b47925aea8d5bdcb6d00
SHA1ed9bbedb791fad104e93a47ff059f0b1efbfadaa
SHA25663b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
SHA51278b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69
-
Filesize
384KB
MD5b01b753579fc53baeba94a956e468b08
SHA1144275a1e412f913f94280d89debabe403f22314
SHA25646cdfbff40dc17d3d0c37875aefec9f96697c90e39d30297a0f8f9865b99d762
SHA512e134fc344ef4879c3c56a573cf8f9230e7dce7fe79de087cd15dabd6b6ebeff86ca1c84b5652aaf3bb51659faad59c3147ebf918462a7a92235d1511cc4905c3
-
Filesize
384KB
MD5bdc476e457c022d25de70d291dc1a6c5
SHA12ff602e7d9215dce93172e5b6bbb02ebfff331a9
SHA25625dbe238b2a3a5d975a125b045d87a5f573a67e0dd87f006df208a522607b447
SHA51295413739649704e4d94e14cd7cfc04229832d5e935d4eb9103f29e3986f8e049b4e26939259d05468abfd94285f8a0d8dc4b843dfb475e989fe0476823bafc33
-
Filesize
384KB
MD5167d7dcc33cf53baf8c21b37a465a00c
SHA192d2425cb0f7200373f7c98763b7b193fbbfadd8
SHA2566a637425e7d00be0c6e4829a2d9676c5cff4df0d25676648739dc22ac0c7a673
SHA512e9fc2c06dfa780e3a5a149fa0d85d8ecec98532e26c4be22f3c39e5b0a37e1b1707359775aeb3b33af42e7510e3d961e68fa2b720c12e7eacca5bbc2b76593a2
-
Filesize
384KB
MD5b28eb006babeecee38422ee4e4993e97
SHA1c844cfb07ef81131a86d7ea7ce5717e01dcb04b3
SHA25639b3e18dabfff92fa7a844d0577d73ef4ab027ec7b22261bd09b6a51fd03536a
SHA5120455c420ae5a69a9861b9962f8ec9c550059e12d916dde320785db94fed93377607a02c0713c9891f25c34b7e3d224a5f3aa72841891cfcd5e8482a774ae1176
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD50fab43fddb78aeafa50d652b54eb1926
SHA1159be98f5ae0b7f73c4364a5d9af0fbc9cafd2fd
SHA256cf5c0c576bea78b2a4fc2ac5bff14c09ab00edb25715f771d1b67e586ddddf20
SHA512cfd7ffe698e6c8d272db0fa686ff393758c1e64cb149113d3600868cad469cebc9ab9399580be165f92a4cbf5f38d17e77b16ee9db2d1afb6b55f09838fff834
-
Filesize
384KB
MD566d0ff3c9bbdec5374850733233f9e02
SHA189e73de0376f3cbfe30f8f855b754b5deb09ddc1
SHA25668eea2e12eed2ba2820a5d28b0507d31e90668d181bee40c40106b7f2ac3bf54
SHA512455fc03dd19586cd50096347007d569893b13fac6bd8cf9c9f09a4ea7dc5f749c5d128abc7539a427a150ca797986871572703a1c81a9fdf69de98f03d2cd1e1
-
Filesize
384KB
MD54824ba11432acca5da729d462747e953
SHA12fca37bff5037a0f4cd510e71858561fbd2d531c
SHA25625ea34645ed727b4052319c093f5aeb7ce3262ef0cf649ab12e31ac1cfa0310c
SHA51298a8ee5ceaea97d3311731ae772017026240cacba6a52735772ebf5e6fc34566d9a2ebb4cdee4a56160b8f887605395f5d95472db3f7f45d3b13cd9d6560a4dc
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
384KB
MD551d62c81078ec535f9445649c9f610b0
SHA1d0c0a4f80c2e793224260235c8b34952f4640aac
SHA256c4c3c3f6dabee86a70318b62010b05346cf330553866ed78d07751b962fb1db4
SHA512f8a22670cbe05806f2471059ea8c3f51ce45011a83e3dd7d87f9727a4e1e34c1ee8f8f41f9c938928cbbe75eb349467640226fd943525ed2795660cafa7c5b08