Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
Resource
win10v2004-20241007-en
General
-
Target
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
-
Size
64KB
-
MD5
bb79e9d53044c165289a0386b625c770
-
SHA1
3e73cb3a3e35eb2d1c888ed542c14d0395f56460
-
SHA256
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
-
SHA512
46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c
-
SSDEEP
768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QCwJ8w2VS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exeimoet.execute.exewinlogon.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
imoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
Processes:
Tiwi.exeIExplorer.exeTiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exewinlogon.exewinlogon.exeimoet.exeimoet.exeimoet.execute.execute.execute.exewinlogon.exeimoet.execute.exeTiwi.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exewinlogon.exeimoet.exewinlogon.exeimoet.exeimoet.execute.execute.execute.exepid process 5088 Tiwi.exe 3112 IExplorer.exe 384 Tiwi.exe 1044 IExplorer.exe 2832 Tiwi.exe 4856 Tiwi.exe 1780 IExplorer.exe 2796 winlogon.exe 4296 IExplorer.exe 4528 winlogon.exe 2236 winlogon.exe 4408 imoet.exe 4412 imoet.exe 1700 imoet.exe 2624 cute.exe 2424 cute.exe 4456 cute.exe 928 winlogon.exe 2208 imoet.exe 3828 cute.exe 3648 Tiwi.exe 3492 Tiwi.exe 1368 IExplorer.exe 2340 Tiwi.exe 4432 IExplorer.exe 5036 winlogon.exe 4440 IExplorer.exe 4884 winlogon.exe 1240 imoet.exe 2980 winlogon.exe 2572 imoet.exe 4448 imoet.exe 4324 cute.exe 3188 cute.exe 1936 cute.exe -
Loads dropped DLL 6 IoCs
Processes:
Tiwi.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exepid process 384 Tiwi.exe 2832 Tiwi.exe 4856 Tiwi.exe 3648 Tiwi.exe 3492 Tiwi.exe 2340 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exewinlogon.execute.exeIExplorer.exeimoet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.execute.exewinlogon.exeimoet.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.execute.exeTiwi.exeIExplorer.exeimoet.exewinlogon.exedescription ioc process File opened (read-only) \??\X: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\H: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\R: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\I: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\P: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\J: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\B: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\S: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\O: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\H: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exeTiwi.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exedescription ioc process File created F:\autorun.inf 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened for modification F:\autorun.inf 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created C:\autorun.inf 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened for modification C:\autorun.inf 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Drops file in System32 directory 40 IoCs
Processes:
cute.exeIExplorer.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exeIExplorer.exeimoet.exeIExplorer.exeIExplorer.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\shell.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\tiwi.scr 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\IExplorer.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe -
Drops file in Windows directory 26 IoCs
Processes:
IExplorer.exeIExplorer.exeIExplorer.execute.exeIExplorer.exeIExplorer.exeIExplorer.exeimoet.exeTiwi.exeIExplorer.exewinlogon.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\tiwi.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\tiwi.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winlogon.exewinlogon.exeIExplorer.exeIExplorer.exewinlogon.execute.exeIExplorer.exeIExplorer.execute.exeTiwi.exewinlogon.exeimoet.exeIExplorer.exewinlogon.execute.exeTiwi.exeimoet.exeimoet.execute.exeimoet.exeIExplorer.exeimoet.exeTiwi.exeTiwi.exeTiwi.exewinlogon.exeTiwi.exeTiwi.exeimoet.execute.execute.exewinlogon.exeimoet.exeIExplorer.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.execute.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
Processes:
winlogon.exeIExplorer.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Processes:
Tiwi.exewinlogon.exeimoet.execute.exeIExplorer.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
Processes:
winlogon.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe -
Modifies registry class 64 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exeimoet.execute.exewinlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exepid process 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
Tiwi.exeimoet.exewinlogon.exeIExplorer.execute.exepid process 5088 Tiwi.exe 4408 imoet.exe 2796 winlogon.exe 3112 IExplorer.exe 2624 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exewinlogon.exewinlogon.exeimoet.exeimoet.exeimoet.execute.execute.exewinlogon.exeimoet.exeTiwi.execute.execute.exeIExplorer.exeTiwi.exeIExplorer.exeTiwi.exewinlogon.exeIExplorer.exewinlogon.exewinlogon.exeimoet.exeimoet.exeimoet.execute.execute.execute.exepid process 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 5088 Tiwi.exe 3112 IExplorer.exe 384 Tiwi.exe 1044 IExplorer.exe 2832 Tiwi.exe 4856 Tiwi.exe 1780 IExplorer.exe 4296 IExplorer.exe 2796 winlogon.exe 2236 winlogon.exe 4528 winlogon.exe 4408 imoet.exe 4412 imoet.exe 1700 imoet.exe 2624 cute.exe 2424 cute.exe 928 winlogon.exe 2208 imoet.exe 3648 Tiwi.exe 3828 cute.exe 4456 cute.exe 1368 IExplorer.exe 3492 Tiwi.exe 4432 IExplorer.exe 2340 Tiwi.exe 5036 winlogon.exe 4440 IExplorer.exe 4884 winlogon.exe 2980 winlogon.exe 1240 imoet.exe 2572 imoet.exe 4448 imoet.exe 4324 cute.exe 3188 cute.exe 1936 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exedescription pid process target process PID 4972 wrote to memory of 5088 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 5088 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 5088 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 3112 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 4972 wrote to memory of 3112 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 4972 wrote to memory of 3112 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 4972 wrote to memory of 384 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 384 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 384 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 4972 wrote to memory of 1044 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 4972 wrote to memory of 1044 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 4972 wrote to memory of 1044 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 5088 wrote to memory of 2832 5088 Tiwi.exe Tiwi.exe PID 5088 wrote to memory of 2832 5088 Tiwi.exe Tiwi.exe PID 5088 wrote to memory of 2832 5088 Tiwi.exe Tiwi.exe PID 3112 wrote to memory of 4856 3112 IExplorer.exe Tiwi.exe PID 3112 wrote to memory of 4856 3112 IExplorer.exe Tiwi.exe PID 3112 wrote to memory of 4856 3112 IExplorer.exe Tiwi.exe PID 5088 wrote to memory of 1780 5088 Tiwi.exe IExplorer.exe PID 5088 wrote to memory of 1780 5088 Tiwi.exe IExplorer.exe PID 5088 wrote to memory of 1780 5088 Tiwi.exe IExplorer.exe PID 4972 wrote to memory of 2796 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 4972 wrote to memory of 2796 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 4972 wrote to memory of 2796 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 3112 wrote to memory of 4296 3112 IExplorer.exe IExplorer.exe PID 3112 wrote to memory of 4296 3112 IExplorer.exe IExplorer.exe PID 3112 wrote to memory of 4296 3112 IExplorer.exe IExplorer.exe PID 5088 wrote to memory of 4528 5088 Tiwi.exe winlogon.exe PID 5088 wrote to memory of 4528 5088 Tiwi.exe winlogon.exe PID 5088 wrote to memory of 4528 5088 Tiwi.exe winlogon.exe PID 3112 wrote to memory of 2236 3112 IExplorer.exe winlogon.exe PID 3112 wrote to memory of 2236 3112 IExplorer.exe winlogon.exe PID 3112 wrote to memory of 2236 3112 IExplorer.exe winlogon.exe PID 3112 wrote to memory of 4408 3112 IExplorer.exe imoet.exe PID 3112 wrote to memory of 4408 3112 IExplorer.exe imoet.exe PID 3112 wrote to memory of 4408 3112 IExplorer.exe imoet.exe PID 5088 wrote to memory of 4412 5088 Tiwi.exe imoet.exe PID 5088 wrote to memory of 4412 5088 Tiwi.exe imoet.exe PID 5088 wrote to memory of 4412 5088 Tiwi.exe imoet.exe PID 4972 wrote to memory of 1700 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 4972 wrote to memory of 1700 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 4972 wrote to memory of 1700 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 5088 wrote to memory of 2624 5088 Tiwi.exe cute.exe PID 5088 wrote to memory of 2624 5088 Tiwi.exe cute.exe PID 5088 wrote to memory of 2624 5088 Tiwi.exe cute.exe PID 4972 wrote to memory of 2424 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 4972 wrote to memory of 2424 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 4972 wrote to memory of 2424 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 3112 wrote to memory of 4456 3112 IExplorer.exe cute.exe PID 3112 wrote to memory of 4456 3112 IExplorer.exe cute.exe PID 3112 wrote to memory of 4456 3112 IExplorer.exe cute.exe PID 4972 wrote to memory of 928 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 4972 wrote to memory of 928 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 4972 wrote to memory of 928 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 4972 wrote to memory of 2208 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 4972 wrote to memory of 2208 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 4972 wrote to memory of 2208 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 4972 wrote to memory of 3828 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 4972 wrote to memory of 3828 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 4972 wrote to memory of 3828 4972 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 2796 wrote to memory of 3648 2796 winlogon.exe Tiwi.exe PID 2796 wrote to memory of 3648 2796 winlogon.exe Tiwi.exe PID 2796 wrote to memory of 3648 2796 winlogon.exe Tiwi.exe PID 4408 wrote to memory of 3492 4408 imoet.exe Tiwi.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
IExplorer.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4972 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5088 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2624 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4448 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3112 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4296 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4408 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4456 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3648 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1368 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1240 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4324 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2424 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5eb41a76397e1ba037c353dee4ed9b92c
SHA1f91cbba7d1b1eb5490c12394a03f9679f3403653
SHA256000617d924a575dfc6df5e3d54d1d3a8c8047eb97d636b7b8ccbc69ee343ccc8
SHA5126735dc880ac2d66386d712a51d5ed3ec1494525adfae4959fb508138e1fbfd4a3678af9377ab510917e1bd8831ed084bcb8cc1eef2663bc453d3d502d254a805
-
Filesize
45KB
MD56de5d3b1209305248207e8da2c855516
SHA18082db5d79b8a8ecc18187de963f64e609c2fb35
SHA256968ba9fca9b0dab46fd485d7e546dac0304e4dac2d14f5e9dd68a2d49733d133
SHA512e4cb22ddb3123423eeaf87e3f5db1786a6d8dc3c24d9ab46dec40527bb6a3e9ee0e834bfa429c2879dd040fd5ad8ad1f9b3fc6d5e3d06e9c507b4c2fe12863ce
-
Filesize
64KB
MD58f339a5b7c35ccc44c99a7ac49863270
SHA137bc6d2bc13323026bffb1d341c212e31393fe16
SHA256a3bfe8f7dc635bb8d155956d068621e5bc71dc3a082b344b824adcc80aacb775
SHA512ee664af606942e51b3be1285a9706398fabf94021585c078ab8e8cf73aa78d2e017981c68376348ab752cbdba215015d7b2475abdeb929fd2e803f773d68782b
-
Filesize
64KB
MD526ebc519257447b3509c8f692316c193
SHA17aa3e0265d83c24cd9c969baf0f9b404eb3d4239
SHA2560d4758d2de694d7ad8bac2a01c841219cab2aeb21f0b05ce3f582b07bc8ca66e
SHA5122d7dae335d052c7e2ec34fbb2a0f538719be7102aa4b71007e5c266defe402924a13475e105c81fb3061047ff09ed534a4ab92999e53725f665544f0ddba6a70
-
Filesize
64KB
MD55a7d5e406f047ac4331abbe1ad36a521
SHA124378a5a93e662ccf3e29f697707e46bd290334a
SHA256b5181d5504b190c5b2a9f94e1fc256af8eb9cb90f0740c6182d4ea9f32a3974e
SHA512c0ccf487dfdf0cdb4e1c2832e772dc77f3d8cbe2bea47d0078a7a9ea75152ef13c004fc6b1dd93eb8ae2803df3593a36b2719aea7adbbcca271abb315c5c425b
-
Filesize
64KB
MD5b2de02fa9cba9b5741b984dea1e7cba6
SHA1b5d7c80eda97943971a18d112b7fc5234756afa8
SHA2566d5a7cca64331b32381f214df8f9329d856867bee45f0605c53cc1b59bb10a97
SHA51277a6a06251c7e86dab4414159fb7728f792d0d3128cfd28f5c07de69247c87f30f4b2df635e82b1025175dbe6eb106e8405811d1d8c12304804d36e36e792cd7
-
Filesize
64KB
MD5582c2b55157c63681f41a4853317467f
SHA1c989c8bca8396c111b29ab71b6a59bf219f50af8
SHA2567ad4a59f865b29b5c98d64e297aabae115c1c4525aad2ee10407e668f5582a4f
SHA512d23818f9b70960ce3b62cbb6fb27af036154496b06b30bbd78514fe93d333c4a7d3f1e170516cb3f3ee9f93cbc28521499e81eecc23e562a0b391d5a1c425e9c
-
Filesize
45KB
MD53ea1f053e96a607b202f294356f7baf2
SHA1627004ab3dff68152de6ae424b2ef5a83a5deb4e
SHA2568db4577d980804976e6ebc27d27ca92c7438d9021f24313a9d80613f31fa7c53
SHA512059b832e756d20485385ffcda6dd13476182fb6ae976f3da97a6bf05ce3b4f6537964d1a09b28bbb2e277d94012ae3ceb1546d8c5efbe8578078f33ce6e47e09
-
Filesize
45KB
MD51228d3e42be5c7c20ab7039f72f8c533
SHA1c3ff01d2f7e5f600b47ee00f33c3581958ea70f0
SHA2562334f0ee5cce275112ff7cb888e8194aad5eec436a3b565afcbc6d476186c1cb
SHA512aec5a64ac8c70c4ded486cc49aff436fb78c6f8b16f72fe5293354e634b50b523ea9f534263970e06b4e9edd3334c3b67938ade5ae735e8fa19af3dcbdab478a
-
Filesize
64KB
MD522d8ed47630f57e9e5baef979f3e98fd
SHA1dccafc6d26ec250d8932ca3fbf96c0f5fdab4c18
SHA256d2d1fdd261f2b1647ffa155b1e16dc0c9941900e16d87c110cc20d176ada99ee
SHA5126e0269cbf08b651b5994efecff0f17067b8a1022352943ade5fd1bb5a572c69c0cb2ee81b4f409a63813a6615dd1a26acac39c2f840c956079ac0ac8963034e3
-
Filesize
64KB
MD5c73f8ffd13aa0963a973ee00d137d554
SHA16de05b61e0447baee3223a1964318b14300774a0
SHA25620f1fcf86d0ed782e98c5865ce9c86bb989f88b600c08b3401ab03f433f63d56
SHA5129e10564eb2111e62022ac8709b2c5bec909ee1b782f54a46404997274ca98d0b9975447b50252f9d11d429f11ba8583df228ebba2aeb50c029f0ed4c0b51f0b2
-
Filesize
64KB
MD570947bac82003b8989ffddc1b74806cd
SHA169f37866981381d2c822e49b067d197c63da907f
SHA25626e99d9b6483214db00fafb693fdec603cdce8909d7a6b3d2ede202b497f70a7
SHA51283c635444dd97cadb2a80bd62506e1dabb1b047bf2d850bca81126d827fcefc2ba5f5346770407b7dbe056404d9155cd89096eca1103538a530832a3c09d0aed
-
Filesize
64KB
MD574583f1dca1c153a74bf53a397543e38
SHA12d6293c653dc939daf5ec3d6c751bc14d3fd2e16
SHA256186ce1f9647533b34b045b235188eb8bfbdcae745d20c8f5099f691a7e3f2c8c
SHA512cb6348a229164fd55a4a64f0f4d241ee99e9c26d739b253ebd44c240b3b75f57394962977f811648063b2c44662a3b489eccfb706d3f0cc9f28916ce74bf1c11
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
64KB
MD5f79e946681c2ec43a5e8720fa38d5532
SHA13298aeec01afc1b0f7060e9caf768f8f911b2ef5
SHA25639e8814d088c49e5780e7ed6414f32b9ec2c329f9b64f1fbcbf32cc49e9bde78
SHA512da53967efa4ce0ab26e54762967cacf39e28d5fe097a091090b57085e81aae852acb5359e22fd7e72974327e89be5808b43c56af3ee0c9034bb6dc51235ad05d
-
Filesize
64KB
MD5bb79e9d53044c165289a0386b625c770
SHA13e73cb3a3e35eb2d1c888ed542c14d0395f56460
SHA2565bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
SHA51246a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c
-
Filesize
64KB
MD514280968967b5cc40903ae182c56a89c
SHA12fa237872b8500d9ddd6b4b5d9e43f97f2e20d3b
SHA25665efeeddee80a68a265780d8ed267d61fdd018f94c4d9254acf7a841e40b2b84
SHA512524f7f37029107ac84b554b003cbcba199578c8872993e060a4b617c261ba660de99a9e3fa5d657f8deddc02c7b68f3eb2badaccfa46e4d9e712c0cb834ab847
-
Filesize
64KB
MD5ed55ad789559cb6325d048c931bc07a2
SHA1eb2f2aa1aafee165ca5b1e56ac37402812c57e3a
SHA2563cae60364e851a5c7611f88ec136956f6fef7e1e5adef0282dd1752f49a77114
SHA512e17f0500171617bbc1d85c1991b35c26010ff8b2383b27fbc75d375bc20cb93bfb5c7959004e35fefa3b6fe29c978aab7ad2c53929337cc84bb04d28c28224a9
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
64KB
MD5cde0d134a7b49abb062ac2db47f11caa
SHA11709e595c8a20c510f9b5edf48715d59a9a51d76
SHA2567999066b517217856996fd257452b59f1617d986546162b695a54b204ee3c0a6
SHA5128715fe05dc46047869d9dc98c3af02abba03990d03598b6c8cf4dc6012a3ab36c128f00bbe475067dcf47a28ffd069bca74509db357bd09682e5766ef0f11d63
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62