Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe
Resource
win10v2004-20241007-en
General
-
Target
d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe
-
Size
384KB
-
MD5
c1eb213dadf03c15c500ee0e15cbf260
-
SHA1
cb40a0d6d7ed1ef83c2145eb4340f46453feb240
-
SHA256
d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a
-
SHA512
74729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875
-
SSDEEP
6144:V/OZplW/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/MW/MP/Mx/M7/Mx/M4/MpBE/h
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2780 Tiwi.exe 1928 IExplorer.exe 1188 winlogon.exe 2004 Tiwi.exe 1044 IExplorer.exe 1300 Tiwi.exe 920 winlogon.exe 612 Tiwi.exe 1416 Tiwi.exe 316 IExplorer.exe 2340 IExplorer.exe 1976 imoet.exe 2088 winlogon.exe 2392 winlogon.exe 2320 imoet.exe 2940 IExplorer.exe 2816 cute.exe 2800 cute.exe 2804 winlogon.exe 2824 imoet.exe 2876 imoet.exe 2608 imoet.exe 1384 cute.exe 1852 Tiwi.exe 2036 cute.exe 584 cute.exe 2044 Tiwi.exe 1704 IExplorer.exe 532 IExplorer.exe 1644 winlogon.exe 1608 imoet.exe 296 winlogon.exe 1224 imoet.exe 2444 cute.exe 1780 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 1928 IExplorer.exe 1928 IExplorer.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 1188 winlogon.exe 1188 winlogon.exe 1928 IExplorer.exe 1928 IExplorer.exe 1188 winlogon.exe 2780 Tiwi.exe 2780 Tiwi.exe 1188 winlogon.exe 1188 winlogon.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 1188 winlogon.exe 1188 winlogon.exe 1928 IExplorer.exe 1928 IExplorer.exe 2780 Tiwi.exe 2780 Tiwi.exe 2780 Tiwi.exe 2780 Tiwi.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 1928 IExplorer.exe 1928 IExplorer.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2780 Tiwi.exe 2780 Tiwi.exe 1976 imoet.exe 1976 imoet.exe 2816 cute.exe 2816 cute.exe 1976 imoet.exe 1976 imoet.exe 1976 imoet.exe 2816 cute.exe 2816 cute.exe 2816 cute.exe 2816 cute.exe 1976 imoet.exe 1976 imoet.exe 2816 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\V: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\I: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\B: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\M: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\Z: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\O: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\J: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\W: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\Q: d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened for modification C:\autorun.inf d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created F:\autorun.inf d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened for modification F:\autorun.inf d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created F:\autorun.inf winlogon.exe File opened for modification F:\autorun.inf winlogon.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created C:\Windows\SysWOW64\IExplorer.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2780 Tiwi.exe 1976 imoet.exe 1188 winlogon.exe 1928 IExplorer.exe 2816 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 2780 Tiwi.exe 1928 IExplorer.exe 1188 winlogon.exe 2004 Tiwi.exe 1044 IExplorer.exe 1300 Tiwi.exe 920 winlogon.exe 1416 Tiwi.exe 316 IExplorer.exe 2340 IExplorer.exe 612 Tiwi.exe 2088 winlogon.exe 1976 imoet.exe 2320 imoet.exe 2940 IExplorer.exe 2392 winlogon.exe 2816 cute.exe 2804 winlogon.exe 2800 cute.exe 2824 imoet.exe 2876 imoet.exe 2608 imoet.exe 1384 cute.exe 1852 Tiwi.exe 584 cute.exe 2044 Tiwi.exe 2036 cute.exe 1704 IExplorer.exe 1644 winlogon.exe 532 IExplorer.exe 296 winlogon.exe 1608 imoet.exe 2444 cute.exe 1224 imoet.exe 1780 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2780 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 30 PID 2288 wrote to memory of 2780 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 30 PID 2288 wrote to memory of 2780 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 30 PID 2288 wrote to memory of 2780 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 30 PID 2288 wrote to memory of 1928 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 31 PID 2288 wrote to memory of 1928 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 31 PID 2288 wrote to memory of 1928 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 31 PID 2288 wrote to memory of 1928 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 31 PID 2288 wrote to memory of 1188 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 32 PID 2288 wrote to memory of 1188 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 32 PID 2288 wrote to memory of 1188 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 32 PID 2288 wrote to memory of 1188 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 32 PID 2288 wrote to memory of 2004 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 33 PID 2288 wrote to memory of 2004 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 33 PID 2288 wrote to memory of 2004 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 33 PID 2288 wrote to memory of 2004 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 33 PID 2288 wrote to memory of 1044 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 34 PID 2288 wrote to memory of 1044 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 34 PID 2288 wrote to memory of 1044 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 34 PID 2288 wrote to memory of 1044 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 34 PID 1928 wrote to memory of 1300 1928 IExplorer.exe 35 PID 1928 wrote to memory of 1300 1928 IExplorer.exe 35 PID 1928 wrote to memory of 1300 1928 IExplorer.exe 35 PID 1928 wrote to memory of 1300 1928 IExplorer.exe 35 PID 2780 wrote to memory of 612 2780 Tiwi.exe 36 PID 2780 wrote to memory of 612 2780 Tiwi.exe 36 PID 2780 wrote to memory of 612 2780 Tiwi.exe 36 PID 2780 wrote to memory of 612 2780 Tiwi.exe 36 PID 2288 wrote to memory of 920 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 37 PID 2288 wrote to memory of 920 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 37 PID 2288 wrote to memory of 920 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 37 PID 2288 wrote to memory of 920 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 37 PID 1928 wrote to memory of 316 1928 IExplorer.exe 38 PID 1928 wrote to memory of 316 1928 IExplorer.exe 38 PID 1928 wrote to memory of 316 1928 IExplorer.exe 38 PID 1928 wrote to memory of 316 1928 IExplorer.exe 38 PID 1188 wrote to memory of 1416 1188 winlogon.exe 39 PID 1188 wrote to memory of 1416 1188 winlogon.exe 39 PID 1188 wrote to memory of 1416 1188 winlogon.exe 39 PID 1188 wrote to memory of 1416 1188 winlogon.exe 39 PID 2288 wrote to memory of 1976 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 40 PID 2288 wrote to memory of 1976 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 40 PID 2288 wrote to memory of 1976 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 40 PID 2288 wrote to memory of 1976 2288 d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe 40 PID 1188 wrote to memory of 2340 1188 winlogon.exe 41 PID 1188 wrote to memory of 2340 1188 winlogon.exe 41 PID 1188 wrote to memory of 2340 1188 winlogon.exe 41 PID 1188 wrote to memory of 2340 1188 winlogon.exe 41 PID 1928 wrote to memory of 2392 1928 IExplorer.exe 42 PID 1928 wrote to memory of 2392 1928 IExplorer.exe 42 PID 1928 wrote to memory of 2392 1928 IExplorer.exe 42 PID 1928 wrote to memory of 2392 1928 IExplorer.exe 42 PID 1188 wrote to memory of 2088 1188 winlogon.exe 43 PID 1188 wrote to memory of 2088 1188 winlogon.exe 43 PID 1188 wrote to memory of 2088 1188 winlogon.exe 43 PID 1188 wrote to memory of 2088 1188 winlogon.exe 43 PID 2780 wrote to memory of 2940 2780 Tiwi.exe 44 PID 2780 wrote to memory of 2940 2780 Tiwi.exe 44 PID 2780 wrote to memory of 2940 2780 Tiwi.exe 44 PID 2780 wrote to memory of 2940 2780 Tiwi.exe 44 PID 1188 wrote to memory of 2320 1188 winlogon.exe 45 PID 1188 wrote to memory of 2320 1188 winlogon.exe 45 PID 1188 wrote to memory of 2320 1188 winlogon.exe 45 PID 1188 wrote to memory of 2320 1188 winlogon.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe"C:\Users\Admin\AppData\Local\Temp\d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9aN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:612
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1416
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1976 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2816 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:296
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD50d59f81e55f68209448c2bbed2386caf
SHA12c6c78b6d4b0ae8f7e1bacc75e6a6f2f3694847d
SHA256efb0b5c0aa1f41cbf9013b376479a0bb7feda6619ea9dc5c7368501869c8d46b
SHA512fbcfeb112f2fd9f90bee6de1d64ac587a7dc02984eb6d46853529b8d5dbb3c5993075a6b7b478678baa8e121a1e53e1ec1fb4142575e0d55377f90c7338363a5
-
Filesize
45KB
MD58636ace0aba017bd00099020c13f44e3
SHA1dcbf9ebedd3d3f203966f22ce75f8a510ce1744a
SHA2563ffaebf35cea76fa7fb1bef61bfd37de5fb4810b56a01d2fcd98d73f51fd4c66
SHA51259a93e24cc93000781e7e6042d75dbaaae45f5104b5d95efca5ef7eb38173328d69d68342c5fd6ae22f2e3e0f2a96c2022a7b7824b2c64aba50ba884fc08f734
-
Filesize
384KB
MD5e88448feb22aa0b7413f3cfdb76ef314
SHA148395da6db21bd4c11af91d641cf7ab7711e3663
SHA2567cef895e652d063133bc21037a0d970c3233051da1394083377e3dd27045e3b8
SHA5123f3dd964da6b210f7124a3240903d4720d30f075fbbe17086affcb3f8c5b7ec8c26e8338a7658f0cc444cd0acd0226f8aa6f91abfa3209fd5d50c0aa9cd43ff3
-
Filesize
384KB
MD57b467e884bc5b9296ee338c565998765
SHA1fbdadf928d73e104dda4376906279f6b7495e20f
SHA256342f1a9087146d3b4626c37745bbe1ec90ffff1fcbab8a90201cd33ee2bced94
SHA5124a60b06381cec9c3995d943f0e05bede5efb1b091fc8fbde3d21b9a4e55ba5b5390812b7df4ea402b08175d238f07edf63bd731158c2d36ff5dfe77e874de49b
-
Filesize
384KB
MD558530deeb97bbf83723e3f1f5ebc3d07
SHA186427e34f349121c9314e06d4bf91b7840397fe8
SHA256d0cfda7afbcc703b9d8b8dc6f03894f0e06edc1d910f97a345df8329ddb9b4a8
SHA51204bdd3a86f9d267c20da23410038b04a27442a4dc569dfe767d1786419782d84c47412064aeaef64cf83c6c8243af6163bfde30441fdcb6982af5f76091fc879
-
Filesize
384KB
MD574821ba11d35cd9dff9f2b1590ba4a7e
SHA1267a1d259b51f58ee00949de6252251b986bd666
SHA25672c05006fd9955b4a01fec68daad0749de0691553f20e2962b5a35330ae43427
SHA5123985161a9283507189665c516e7436a255856c2111a6cb84f027ce21e06ec5e77e16a722fe03bd779e84b55042ed42a1faef523066c4477c641b797d7e4c3707
-
Filesize
384KB
MD57cc81917eb71529c6c5b109fdc287049
SHA15ed616faf8ad6e748fba1c83e021af4037c6c900
SHA2561c3faaa7fa9c1588c4f8fbde25ad8e0313f247e9a7220b04f71a64a68d6cd4c8
SHA512e3f2be5f150980660e7c5bd3ca58c97d13c846b926f9e9c28d76645b532150fafbcf690587d0df43993f3459b4a2630dc6275e798f80fd332648117f858770b8
-
Filesize
384KB
MD524ff196bebdefdf533db5188aaad478c
SHA188c6bdc501902d46bac8e2b48a197bcf46e9c021
SHA25622781ec92b94b1bb09a54f02b29ae79cf538904a1e08b24920a17ae07294a64d
SHA51256279a72c6ccbeb134aad7f496b9b2f050847b1525291e98306a22e07ff8304b32647de540612724d3775a08c610d942a1b75940e0f0956eee254893b19e947b
-
Filesize
45KB
MD5870b96eed62f7d5abbba27da18f5e311
SHA131f3e769f408b67e695ac36b561b0f30421d52a6
SHA256a81cff2cd43e0bca1b48b59dfe14ec7dea62d1a6bb5f3a2082ee443129628ea5
SHA51233e6c2570300392c8465e475c24876557fbcc919baa05c2f49ff08ec45d735618c5cf97bab50dd4b04c6cad919870166357b42362256053424facaaf91036f06
-
Filesize
45KB
MD51163a1ef00401b07c0327c95420fa040
SHA10b17ea8f7cf9778bb85eccda5716bccfaacaced2
SHA25626ab2458efac9e07f20e7279fe227ed6d1062efd4ebb70d54315b2c6d9cfb06b
SHA51290f47412c2bfd5bd31e91e1fa062f04c8af0d56104da135f2149ce2d89c9b87ba5a54c8b21afca09b6170d915cac63eeeaa8a43dee1e701812af82f6d11ff6e6
-
Filesize
384KB
MD550053b60cebfaf57db2b8f5d8553ad0d
SHA11597ab966376e93c51cc28d6b8ccc6e1629f9e94
SHA2560e22c064a41a8d9fe4a919115b3dc58802bb7817b4a06662e32cb7b158c347b5
SHA5121694b14038dbb15685110fa7577d20d8c3a749f1efbd0c5e5a5313c2d5f4d5e583775ecca79e7220923f07ca3ada4134bbcffd773c138b501955005bcd50824b
-
Filesize
384KB
MD502a0b5f6641a88c7f853f2cf8bbdc9f6
SHA1d1ae79d9ac7d7d991214c5eb29120bc65b0fdcb9
SHA25650ab789cbb6e0c66307dd8d5af85e8026499c5e5732f429f3107c304b4b339c4
SHA512315875f11eb4d6d9026225b53a15a3b69eeec2f084492720e30e7b5b53ab28dd08a68b7437e010b212898482502b940ccbd9740c19fb8f04ec3752ba44efc4ed
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
384KB
MD56f030e7c20d32e9867fc86b08687170c
SHA10a4d392a392d126634d8eec814c51c185888e818
SHA256503758ca5942e060fb9db2b0edbcf9acd7f35b424c9e7fdab68a6bc13adb8c88
SHA5129ca20cac482af22508d0653846c74efe504a2eb7fd957b1b1e3289fb0685853dcfe1a7d5c3be8e113c2733bda07225ee92e99792738cd8422b393036a22258c4
-
Filesize
384KB
MD5f666c72355d2852181edf7c4331e6599
SHA13f6f11390d134d1be0bb1d09fc8b0a83f3a6624b
SHA2560fc340955dedb8f08508d8771560c15e207bd49a9a46ea0a4e95c93a2fc91adc
SHA5126cf8d88faccbaeb84803394aaa19b7567bfb62ef9dca4c6229b1d386d37fab6b8dc4dc0cc6cedc9e9d43d4ede4177eecbbead7fc07dd3c0ad2b42b7b18475f0a
-
Filesize
384KB
MD549ad4f5f20f860f234835f6906c8bf44
SHA1461bcd08b10512a120c8813ea509b3964f12384b
SHA2560dc86df118ec71825102a48798e78087dd9d1d4eb50a65dc345285d22a8106c2
SHA5121b7784f34af7bfcf52dc153f8834660e5259279eb7692844d5cc9dbac5ea6e7ac68f1822d773f7694fcaf4ddf357bdcd3006a7f0c565947c5eb8b0a557c0b544
-
Filesize
384KB
MD5091fefeaa3c6fbecfebf4aa942595464
SHA1509e53182a39b7793e54c5a0402ac897e8bee7e0
SHA2565a47d405c78158256ec432582a247028a6854d722a12a616e6f3afef83809f6e
SHA51241e112abddd506b962fd4d797895fb052ed717aa9021e5e5c5df6a5fe0aa3b2247f413dad439e950f4c3cc10bd2fa07909f6dc4f76e8ee33208ff74969311ecf
-
Filesize
384KB
MD5c1eb213dadf03c15c500ee0e15cbf260
SHA1cb40a0d6d7ed1ef83c2145eb4340f46453feb240
SHA256d08f3173c890304961f914b4e58126fe48cde05c53c0c869eedc5253d6e55f9a
SHA51274729eba319094532f3f2a2108be0e85e72294a6e3717a697fd33f2ddfd306e608a03ad5a9ba765a3cad18258404256ad45fc51d871f284a23a2baca02eee875
-
Filesize
384KB
MD57576ffcc0e424fb72372c0e8c0e3ed2e
SHA191739373235e9e226baa11b284a82c9a61ca3f14
SHA25668b2aa2f1b259f6e725fff17dabd8eae8d75da11fe407b934305bec2b47ab2b5
SHA5121caa41ba628b444f0ff1795870bcdbeff6af5f36c799515069ce14d347cc2e4ce9955be8714f3f877e4a58680b2bc1564e465fc8ccb8b75b56494eb7c15e88bf
-
Filesize
384KB
MD5f548e5a3a1affe48053a0a2cbc46ef71
SHA10113e2a14349958a850e4d18987148de4a36c587
SHA256e816de577c9a4e5830f26343ef8c8c81b1e313a5866791014b7f300beda24c58
SHA51212219328e27237bb76d90175fbdc384d67c339bd0ba9ebb3fea732bf0e3dd2bc7b5b6da80d47929be105703708040a04f8b497be46fd3d862b8a20476998a287
-
Filesize
384KB
MD56e1522b6b7c51ebdc0806a92dee44c26
SHA1e8bf3d1b3e2b2a69219b02865ce757e6327edd72
SHA2567a968c126cd677eb57211140a069bc1190893a6be4e5fa7e64aa4c9443cfc9d3
SHA512416486ca1db7c5a8869361032707f76384318cb4e5765bbb4e01abcd50d56cf7fe2d9aa438048c09980c9e2088b7af5ed6972fde96ae5407e1172959152df2e6
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD5182367e34a3d5140b87985b49a1c453f
SHA10fe4546525e555a6d0fc43362c8ec3f144fe0ef8
SHA25678638a0001b4b288e8601ec59add5b85a997831a100454d95c919747817c64dc
SHA512365fc2f64cde416259a7af0acdcb73eb5a0d7b02fa6367671c92dc6c3a5a416369cf9a56d1e862f324139c2a528b833fc7a69a8975cbf0b799024b450bca758f
-
Filesize
384KB
MD52b20767cb126756e273cc3b672c24ce2
SHA18fa6ed3f2a250b86a33b60e16b49ddefde27648c
SHA256aa49c4314e87c42864e23af944c5966fa8eb01a1a4dfac41a336584a7f37338f
SHA5127501cd204f7e22aa169f4e91ac48435fa6d9400c6284dcd1b9d3552f165279aeaa8a1dcaa3e7165675a7e532479af983b043bf323fe26df55664b4b1c1de7822
-
Filesize
384KB
MD567283f7489d99b0534c0ce0cbddc1b5b
SHA11b60efd198035a6f8fbbb13d3bd7abdc9c44860d
SHA2564388f80a3b3a6419ad154cb93344f1d5330fb2e039cb633e9d1f99a77eda1e8b
SHA5123eb5973a7967d026037fac930148d12bb1788850d299cfc86a15cd053e9d2f00eb305bd4c521c66122dd87498220d1efd4e8ede054fe6f201ac3d1102f8a0daf
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62