Analysis
-
max time kernel
119s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
Resource
win10v2004-20241007-en
General
-
Target
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe
-
Size
384KB
-
MD5
2b9ffc7e6cd8b47925aea8d5bdcb6d00
-
SHA1
ed9bbedb791fad104e93a47ff059f0b1efbfadaa
-
SHA256
63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
-
SHA512
78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69
-
SSDEEP
6144:V/OZplx/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/Mx/MP/Mx/M7/Mx/M4/MpBE/h
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 4136 Tiwi.exe 4932 IExplorer.exe 3472 Tiwi.exe 4392 Tiwi.exe 1084 Tiwi.exe 1504 IExplorer.exe 1120 IExplorer.exe 1672 IExplorer.exe 3216 winlogon.exe 3884 winlogon.exe 4668 winlogon.exe 3024 imoet.exe 5068 imoet.exe 4084 cute.exe 4456 cute.exe 3580 imoet.exe 2948 cute.exe 2632 winlogon.exe 4192 imoet.exe 1696 cute.exe 1608 Tiwi.exe 1428 IExplorer.exe 1872 winlogon.exe 3620 Tiwi.exe 4120 Tiwi.exe 3448 imoet.exe 2988 IExplorer.exe 4588 IExplorer.exe 628 winlogon.exe 2008 cute.exe 1376 winlogon.exe 4860 imoet.exe 2996 imoet.exe 3428 cute.exe 3544 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 3472 Tiwi.exe 4392 Tiwi.exe 1084 Tiwi.exe 1608 Tiwi.exe 4120 Tiwi.exe 3620 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\U: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\Z: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\E: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\L: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\R: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\J: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\M: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\P: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\I: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\X: 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\M: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe -
Drops autorun.inf file 1 TTPs 10 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf Tiwi.exe File created F:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created F:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification F:\autorun.inf IExplorer.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created C:\Windows\SysWOW64\tiwi.scr 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ Tiwi.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4136 Tiwi.exe 3024 imoet.exe 3216 winlogon.exe 4932 IExplorer.exe 4084 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 4136 Tiwi.exe 4932 IExplorer.exe 3472 Tiwi.exe 4392 Tiwi.exe 1084 Tiwi.exe 1504 IExplorer.exe 1120 IExplorer.exe 1672 IExplorer.exe 3216 winlogon.exe 4668 winlogon.exe 3024 imoet.exe 5068 imoet.exe 4084 cute.exe 3884 winlogon.exe 4456 cute.exe 3580 imoet.exe 2948 cute.exe 2632 winlogon.exe 4192 imoet.exe 1696 cute.exe 1608 Tiwi.exe 1428 IExplorer.exe 1872 winlogon.exe 4120 Tiwi.exe 3620 Tiwi.exe 2988 IExplorer.exe 3448 imoet.exe 4588 IExplorer.exe 2008 cute.exe 628 winlogon.exe 1376 winlogon.exe 4860 imoet.exe 2996 imoet.exe 3428 cute.exe 3544 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 4136 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 85 PID 1640 wrote to memory of 4136 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 85 PID 1640 wrote to memory of 4136 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 85 PID 1640 wrote to memory of 4932 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 86 PID 1640 wrote to memory of 4932 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 86 PID 1640 wrote to memory of 4932 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 86 PID 1640 wrote to memory of 3472 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 88 PID 1640 wrote to memory of 3472 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 88 PID 1640 wrote to memory of 3472 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 88 PID 4136 wrote to memory of 4392 4136 Tiwi.exe 89 PID 4136 wrote to memory of 4392 4136 Tiwi.exe 89 PID 4136 wrote to memory of 4392 4136 Tiwi.exe 89 PID 4932 wrote to memory of 1084 4932 IExplorer.exe 92 PID 4932 wrote to memory of 1084 4932 IExplorer.exe 92 PID 4932 wrote to memory of 1084 4932 IExplorer.exe 92 PID 1640 wrote to memory of 1504 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 93 PID 1640 wrote to memory of 1504 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 93 PID 1640 wrote to memory of 1504 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 93 PID 4136 wrote to memory of 1120 4136 Tiwi.exe 94 PID 4136 wrote to memory of 1120 4136 Tiwi.exe 94 PID 4136 wrote to memory of 1120 4136 Tiwi.exe 94 PID 4932 wrote to memory of 1672 4932 IExplorer.exe 95 PID 4932 wrote to memory of 1672 4932 IExplorer.exe 95 PID 4932 wrote to memory of 1672 4932 IExplorer.exe 95 PID 1640 wrote to memory of 3216 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 96 PID 1640 wrote to memory of 3216 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 96 PID 1640 wrote to memory of 3216 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 96 PID 4136 wrote to memory of 3884 4136 Tiwi.exe 97 PID 4136 wrote to memory of 3884 4136 Tiwi.exe 97 PID 4136 wrote to memory of 3884 4136 Tiwi.exe 97 PID 4932 wrote to memory of 4668 4932 IExplorer.exe 98 PID 4932 wrote to memory of 4668 4932 IExplorer.exe 98 PID 4932 wrote to memory of 4668 4932 IExplorer.exe 98 PID 4932 wrote to memory of 3024 4932 IExplorer.exe 99 PID 4932 wrote to memory of 3024 4932 IExplorer.exe 99 PID 4932 wrote to memory of 3024 4932 IExplorer.exe 99 PID 1640 wrote to memory of 5068 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 101 PID 1640 wrote to memory of 5068 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 101 PID 1640 wrote to memory of 5068 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 101 PID 1640 wrote to memory of 4084 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 103 PID 1640 wrote to memory of 4084 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 103 PID 1640 wrote to memory of 4084 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 103 PID 4932 wrote to memory of 4456 4932 IExplorer.exe 104 PID 4932 wrote to memory of 4456 4932 IExplorer.exe 104 PID 4932 wrote to memory of 4456 4932 IExplorer.exe 104 PID 4136 wrote to memory of 3580 4136 Tiwi.exe 105 PID 4136 wrote to memory of 3580 4136 Tiwi.exe 105 PID 4136 wrote to memory of 3580 4136 Tiwi.exe 105 PID 4136 wrote to memory of 2948 4136 Tiwi.exe 106 PID 4136 wrote to memory of 2948 4136 Tiwi.exe 106 PID 4136 wrote to memory of 2948 4136 Tiwi.exe 106 PID 1640 wrote to memory of 2632 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 107 PID 1640 wrote to memory of 2632 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 107 PID 1640 wrote to memory of 2632 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 107 PID 1640 wrote to memory of 4192 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 108 PID 1640 wrote to memory of 4192 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 108 PID 1640 wrote to memory of 4192 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 108 PID 1640 wrote to memory of 1696 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 109 PID 1640 wrote to memory of 1696 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 109 PID 1640 wrote to memory of 1696 1640 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe 109 PID 3216 wrote to memory of 1608 3216 winlogon.exe 110 PID 3216 wrote to memory of 1608 3216 winlogon.exe 110 PID 3216 wrote to memory of 1608 3216 winlogon.exe 110 PID 3216 wrote to memory of 1428 3216 winlogon.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4136 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4392
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1120
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4932 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3024 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3428
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4456
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3472
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3216 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3448
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4084 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3620
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4588
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3544
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1696
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5421bc619ac6e9207fe5524f1fa052565
SHA1f110d767841bf94da3025c0f97306b2443224959
SHA25619a758bfac6e483027d0bd335fa2ce20c916ad58ecf973aaac8eb734a54e1c5e
SHA5128049cb49ae46755e09d4245c2bd049b0a2b2e881bbfc95d954a081166ab957770af253d2c2f9d7fea56a22b799e07e5769ad8ae9220750e6b7812ae9e90ba1a5
-
Filesize
384KB
MD53d3cdffb95b010f5a8981737af494a24
SHA1741e51a27ee7ddd1bd0b245fc810b84946b6aca9
SHA256c889e7eef1fa092f022858e5df6e7df379d625e2d12c212700f9bbcb06ef1d1e
SHA512173b8df07c224265813338e749537e0b4e0c9b64b3f42fc2407f607ba503585706313e38175e8a46fb5330120ac2fea9b20d352effc3917b4b3a7b39cd68ec0c
-
Filesize
384KB
MD5602a549f9fc3b558fb69ad942b8bd9e8
SHA1b4618c87c153c27883dac4432570a14e99394306
SHA256484562d3af34180f4c6232427c6e8354180f939db8f66fcef750f90151166ce3
SHA512a9cb5f47cf3cb7ede2a2bed26ba744295ee942808602fef0f83e97076f3c46f3d16bb4153ffe489585c79394844b7b1d2ad672055ef59c0e4c746a85b09a8fd5
-
Filesize
384KB
MD50b3a8a8a3adb616d8bda14f3e533e930
SHA1f04e991dc61ebd147741f3e163c672a91306d5b3
SHA25663e62128185ddf6505de15f495dc5fc06c9e8925e774119a635c2a2fc8420991
SHA51278558fbe572be214fb485f6ec679dc5ad98d415bb548443ca48b1e02147f03c6ca0fb4b8b8c58e81aac957204ca8010a4c75df4e0812a292f21f8157d5671b40
-
Filesize
384KB
MD51ec5bfdfb985aaa32bc4caec8f7cae10
SHA12731019d607dcfef7f16be3fa8338ea8a0c30c5b
SHA2562351413d0cc90459067369513645442f7c2e13a3fdc96d2e9d1bea2a1295b6d6
SHA5122e8396c3c82db45819a5b78d4085a7348626bbdb539b6b2d917c0a8a02ef8034e752ee81badfcd801c14983ac48fcf27e4de2a016c16b524f5c32ca68b9f2a38
-
Filesize
384KB
MD5619a5a971a7ad0bd94276601511d258a
SHA1ee690588331efc239bd5d35508028a93275caa26
SHA256475234daa63cfd84b58e498e45a7442ad55e86f180651b8edca886ce64210414
SHA5127715152db3d3dc54af26f63f00db446cc836205bb1f7e3929606803799a55033a11c2b9fbcfa41ece7dcf20286e04889e06a4354d17af9f3f25c0560ea47f1b8
-
Filesize
45KB
MD51da120080779fa0df385d84ca318db46
SHA1a59b10bec70920a75f5c7d8b6c3a1da32501d12b
SHA256015949235de02ee292349765e8c0050fd4d141929ca5a840b2cdc6b0f6bf3ae0
SHA512b09db4e7a2571d7c6dcae8dfe8cb394a4058053b6204856b6ecfb8949edb9ffb6c2ed0884c4815e1e6b1c2873d2b7984395483f229a28227ee06e3de20429650
-
Filesize
45KB
MD5ec63c79d3dda43ed5543c3e6ae103859
SHA151301983008ad0ffb38c268f1b17f50be4f92ff1
SHA256776907c4b9deed6889e77ed27523793d7801e404fe770cc975be4b788a6e8b18
SHA5127c59aeb11639e9c92598cb404608eb8e490312e05be4b3c8384977a8f73468ee39e24d4f07443ec6215b53e61172910c3a4e41a2e58bf27783a4cc863242f3ee
-
Filesize
384KB
MD50904d1363c491b93425fb87a858752eb
SHA18564d2fb05c4d48066ce841d04ea98472699fbd8
SHA256a50a6286eaed4e40ddf04c46840d1279bffa1a57f78296b17a41b59236139591
SHA512c51565f9490739088ca99a2a245e8970f0b5d9e25bebe2ff6952461f6e2946bf7c1e66288db79e9ee1e5e4afffcb159aba3d5ed608e5926c28fa7ef743b2362d
-
Filesize
384KB
MD5ade47aab1aab913beef18f855fe68e1e
SHA1304096a453747cbba928c57b8153e30097a5b054
SHA256acd7841f03e70dac144b6bee4761db0e9aec96b481b5f43b03ac8ff19dbf964a
SHA5120de2f582ef6a407403ad0d7ec003a48c9fa3bbae0d86a99e917a6e56fe0e8d8e80943856145e3443049dddfdcbec81a9cd99d4db1ad3778de76e4667b7f1ad97
-
Filesize
384KB
MD54b00f140e6b862252b705e870a4f1590
SHA1ae2118eee71a193173b6f18f0b003306cb732738
SHA2569d7ff3c255a7492024d9514532fcd6f0e0dab30d86a10887aecee93073896453
SHA512ccd970109eac2c2800d53a01a70d94cd4c2a46b7cdb203329cc2cac633b2d03ffe05234ec97e6f2baec270b4606bae202277ace0bf6e3a2062e2e90bde42a3c2
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
384KB
MD5d62fff08d20cda68686870292fb1c056
SHA139ebff0416ad16197eec8b2569e521e098a98044
SHA2560e130155bc2b4be630e0facdcb474c8187f998e41b2cde39bfe8b9ae4f4dd46a
SHA512acc179070ea571f5f1e3a807e2acc9a3d537271c92612e21491302830b5138917a8d38c7de07b1e98c7a5fe73937b9c773c3ee76b84d18e2a3bbe19cafc02b8d
-
Filesize
384KB
MD55b51117d91ae3cce562a4c094aad1631
SHA14bb779e5f816a203be0f38f100f34617e24b3ff4
SHA25656cab5c96d3630d8861456b8264b00f2282fcc7c1f984936cc13259f72f76b30
SHA5128e372a96456a140b0fc4451f0110aed7c82b8f59349da666e20b5722c21a6e7dc39cf02f48e3187e531a8b1dfca9090a601d4b209343c869c7812c381620c0e7
-
Filesize
384KB
MD5c2f2babf3d81f017374a5038b1d6ca25
SHA143e08f893c1b662ef297a4fc19186f6b751f88ed
SHA25639c7bb0ee6d609af5b73edc66ca4b3f32a4a2ff177f3f7d97a4685e9635024ee
SHA512494de8a777d987b4e78880ede49bc94097807c548e2526b2f060809e45a97c7905810e95a4eae5d4c0cc613b715caca7c40089e64ac909565cbed17eb8d777b2
-
Filesize
384KB
MD52b9ffc7e6cd8b47925aea8d5bdcb6d00
SHA1ed9bbedb791fad104e93a47ff059f0b1efbfadaa
SHA25663b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
SHA51278b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69
-
Filesize
384KB
MD5c82a6ce9a04a4cd9801a3093e7580bf9
SHA14197adea48506def0f3e5007ba8e3f997c17ca79
SHA256df2fd5dc29e583d9a971f678e6ce3d350f58d7f03f57e53dbbc1985b353564f7
SHA512039033b56da898d2ef2ac732d3e32ce1ee29ac2866cbafe5f324f90bb4e6d63635c7c36669bca9f417ff3a6859ef7566b56eb7f12d417e9dacfba7749868d6f5
-
Filesize
384KB
MD5fe831b0adcfe3d627a232b3a57f78feb
SHA1f4722774d52670e50dc12a742ee9b97bbc44f9c5
SHA25695deb5b21a7db2dadaacf413c93789aceb03f5643dc123b69935d0928c279ec5
SHA51204cd8b62c050047d154bdda6b0bceb1ee5fc77260493b2c998b570792d38755dad67f740d9559251e51980d1e82ce460e531e1b7e4006546aa9dd6b579559729
-
Filesize
384KB
MD527da3c58fb2f240dfdd0c2a9026da910
SHA151fb9612f1b4b8775ff59c2888044f12a1f88a09
SHA25662c8081fceb492844689d30bf0fc7d4ef9c59c7bb2f31ae0d74021109d0e1109
SHA5127aa7ae837d1fc34779addceaca87347db0bae8d30cd52112ed2b038bd469adc066b41117ab6264012552c04aa9b22dd1816e73009f4fb065b7887e10efe814d4
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD51f03c2dcc8c0decf09c0eb10cfb615c8
SHA1c60297d1c419a3f25081abab7ff3a17d8007e221
SHA256f583f0b90d3f321f35b203bf07622e75040ec5f28f6b64168c377a8ba9e1f130
SHA512bc5b719853d978e962307f8c6bef40d8262028582e31fa6d7784a2505e1daf78f7889c8c7f162589d8b83e1d8a119d6f9f1db00b89aa8eb78dcb4c890b1442b4
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62