Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
Resource
win10v2004-20241007-en
General
-
Target
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
-
Size
488KB
-
MD5
5953ebd2fec51a3466574c73734b3310
-
SHA1
02e7ed57055aca483933a7906be4a171f132edd7
-
SHA256
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797
-
SHA512
3ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386
-
SSDEEP
12288:V/Mz/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VwK2O2HIBEd7M
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 1676 Tiwi.exe 1912 IExplorer.exe 2424 Tiwi.exe 1332 IExplorer.exe 2416 Tiwi.exe 2104 winlogon.exe 1768 Tiwi.exe 1956 IExplorer.exe 2788 IExplorer.exe 2172 imoet.exe 1700 winlogon.exe 2512 winlogon.exe 1600 imoet.exe 1824 cute.exe 2308 Tiwi.exe 2408 imoet.exe 2688 cute.exe 352 IExplorer.exe 2756 winlogon.exe 2892 Tiwi.exe 2644 imoet.exe 2888 Tiwi.exe 2468 cute.exe 2296 winlogon.exe 1936 cute.exe 664 IExplorer.exe 2696 imoet.exe 1032 IExplorer.exe 1560 winlogon.exe 1056 cute.exe 680 imoet.exe 2860 winlogon.exe 1628 cute.exe 760 imoet.exe 1336 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1676 Tiwi.exe 1676 Tiwi.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1912 IExplorer.exe 1912 IExplorer.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1676 Tiwi.exe 1676 Tiwi.exe 1912 IExplorer.exe 1912 IExplorer.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1912 IExplorer.exe 1912 IExplorer.exe 1676 Tiwi.exe 1676 Tiwi.exe 1912 IExplorer.exe 1912 IExplorer.exe 2104 winlogon.exe 2104 winlogon.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1676 Tiwi.exe 1676 Tiwi.exe 2104 winlogon.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2172 imoet.exe 2172 imoet.exe 2104 winlogon.exe 2104 winlogon.exe 1824 cute.exe 1824 cute.exe 2172 imoet.exe 2172 imoet.exe 2104 winlogon.exe 2104 winlogon.exe 2172 imoet.exe 1824 cute.exe 1824 cute.exe 2172 imoet.exe 2172 imoet.exe 1824 cute.exe 1824 cute.exe 1824 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\M: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\Q: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\I: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\R: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\X: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\S: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\T: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\W: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\K: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created F:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\shell.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\IExplorer.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\tiwi.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" cute.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 1676 Tiwi.exe 2172 imoet.exe 2104 winlogon.exe 1912 IExplorer.exe 1824 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 1676 Tiwi.exe 1912 IExplorer.exe 2424 Tiwi.exe 1332 IExplorer.exe 2416 Tiwi.exe 2104 winlogon.exe 1768 Tiwi.exe 1956 IExplorer.exe 2788 IExplorer.exe 2172 imoet.exe 1700 winlogon.exe 2512 winlogon.exe 1600 imoet.exe 2308 Tiwi.exe 1824 cute.exe 2408 imoet.exe 2756 winlogon.exe 352 IExplorer.exe 2688 cute.exe 2644 imoet.exe 2892 Tiwi.exe 2468 cute.exe 1936 cute.exe 2296 winlogon.exe 2888 Tiwi.exe 664 IExplorer.exe 2696 imoet.exe 1560 winlogon.exe 1032 IExplorer.exe 1056 cute.exe 680 imoet.exe 2860 winlogon.exe 1628 cute.exe 760 imoet.exe 1336 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1676 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 30 PID 2348 wrote to memory of 1676 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 30 PID 2348 wrote to memory of 1676 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 30 PID 2348 wrote to memory of 1676 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 30 PID 2348 wrote to memory of 1912 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 31 PID 2348 wrote to memory of 1912 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 31 PID 2348 wrote to memory of 1912 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 31 PID 2348 wrote to memory of 1912 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 31 PID 2348 wrote to memory of 2424 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 32 PID 2348 wrote to memory of 2424 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 32 PID 2348 wrote to memory of 2424 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 32 PID 2348 wrote to memory of 2424 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 32 PID 2348 wrote to memory of 1332 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 33 PID 2348 wrote to memory of 1332 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 33 PID 2348 wrote to memory of 1332 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 33 PID 2348 wrote to memory of 1332 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 33 PID 2348 wrote to memory of 2104 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 34 PID 2348 wrote to memory of 2104 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 34 PID 2348 wrote to memory of 2104 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 34 PID 2348 wrote to memory of 2104 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 34 PID 1676 wrote to memory of 2416 1676 Tiwi.exe 35 PID 1676 wrote to memory of 2416 1676 Tiwi.exe 35 PID 1676 wrote to memory of 2416 1676 Tiwi.exe 35 PID 1676 wrote to memory of 2416 1676 Tiwi.exe 35 PID 1676 wrote to memory of 1956 1676 Tiwi.exe 36 PID 1676 wrote to memory of 1956 1676 Tiwi.exe 36 PID 1676 wrote to memory of 1956 1676 Tiwi.exe 36 PID 1676 wrote to memory of 1956 1676 Tiwi.exe 36 PID 1912 wrote to memory of 1768 1912 IExplorer.exe 37 PID 1912 wrote to memory of 1768 1912 IExplorer.exe 37 PID 1912 wrote to memory of 1768 1912 IExplorer.exe 37 PID 1912 wrote to memory of 1768 1912 IExplorer.exe 37 PID 1912 wrote to memory of 2788 1912 IExplorer.exe 39 PID 1912 wrote to memory of 2788 1912 IExplorer.exe 39 PID 1912 wrote to memory of 2788 1912 IExplorer.exe 39 PID 1912 wrote to memory of 2788 1912 IExplorer.exe 39 PID 2348 wrote to memory of 2172 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 38 PID 2348 wrote to memory of 2172 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 38 PID 2348 wrote to memory of 2172 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 38 PID 2348 wrote to memory of 2172 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 38 PID 1676 wrote to memory of 2512 1676 Tiwi.exe 40 PID 1676 wrote to memory of 2512 1676 Tiwi.exe 40 PID 1676 wrote to memory of 2512 1676 Tiwi.exe 40 PID 1676 wrote to memory of 2512 1676 Tiwi.exe 40 PID 1912 wrote to memory of 1700 1912 IExplorer.exe 41 PID 1912 wrote to memory of 1700 1912 IExplorer.exe 41 PID 1912 wrote to memory of 1700 1912 IExplorer.exe 41 PID 1912 wrote to memory of 1700 1912 IExplorer.exe 41 PID 2348 wrote to memory of 1824 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 42 PID 2348 wrote to memory of 1824 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 42 PID 2348 wrote to memory of 1824 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 42 PID 2348 wrote to memory of 1824 2348 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 42 PID 1912 wrote to memory of 1600 1912 IExplorer.exe 43 PID 1912 wrote to memory of 1600 1912 IExplorer.exe 43 PID 1912 wrote to memory of 1600 1912 IExplorer.exe 43 PID 1912 wrote to memory of 1600 1912 IExplorer.exe 43 PID 2104 wrote to memory of 2308 2104 winlogon.exe 44 PID 2104 wrote to memory of 2308 2104 winlogon.exe 44 PID 2104 wrote to memory of 2308 2104 winlogon.exe 44 PID 2104 wrote to memory of 2308 2104 winlogon.exe 44 PID 1676 wrote to memory of 2408 1676 Tiwi.exe 45 PID 1676 wrote to memory of 2408 1676 Tiwi.exe 45 PID 1676 wrote to memory of 2408 1676 Tiwi.exe 45 PID 1676 wrote to memory of 2408 1676 Tiwi.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe"C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1332
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:352
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2172 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:664
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:680
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1824 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5cbf04dd8bd74806b3442c452504daa19
SHA15b8757f7f6e1bcb1dcd2e9e22981744ab1e235bc
SHA256a079d9484eb19dd20cc50f2c1b50bc7a3f5d917ad244cfe4cc9bfe38c25cf572
SHA512669dfbad5af7d65145610ea94c9726c487a5e068a65c0cbe27cf74fb7db22fe204c542c65a5651e8775f57037f81a67dbabc3f810346137deb7bfd933f0be324
-
Filesize
488KB
MD5e77537010f40a5b5f483d30372ec9a04
SHA1bac99f3f5fdb570b8a6b47610ae7e2d2abab92f3
SHA2568fdddcf3bed37ce860694c8804474f45110df9ebb826e7cabaf905122d0d01d9
SHA51278a8db1bbad0a351a28c082d1cd9b019505dd95bbb9893355f99417415b50b2f81853ca4b517c6e2c77f647d9cf101821552ab8b086b52c0db3a3ca6b95fa1b6
-
Filesize
488KB
MD5ba444bde36e78ffc2d898b42ef1c56b7
SHA133041c18aa4654dc8e0dd33c0e3b9f47ee3bba1a
SHA256b5db3b93eed9277812ce085378dd7527add9ecddc87c03a5eb630300f6e7a791
SHA51292ec9df3b59b37277c39beddde4b9bab5c892df328a31f0e75e7afe1aeaf2fdf000aa2b8406a945601613dbf5bf4c8d9d2bfbfb4a90d81153186cad064b3214e
-
Filesize
488KB
MD55cdaa4e7b9f04a23192e484784832c54
SHA194cbe97ba09836eabc2e975cad16bf9c8b06f345
SHA25657009c5583c1b5aa19ebf58d6fa660f38bf3d7c58c6b150f4a28afea0f413cd3
SHA51212b094d0e9c451040e68b3598e06fee8b0aa3b8ee50daf896784844bcee9f677b354644e417fe173d0b5176a78571c6814607c463502acb86460590a0c35206b
-
Filesize
45KB
MD5438a8384a19d7a0595330a1caeff1a24
SHA145833d38ec4d28759cfb101aa96b5bc91217928b
SHA2560348caacba84e6980e5b3bf89710bd474986ccd348d249a5fc7d303b57bf49fe
SHA5124c88e9d7a51c245d8d7e2fedaa3b595973699c9daa626729adc66eff6bb46108e0081a13e501a926a14beb19dd1929e95427557662806cb1c44d10fd84f946ba
-
Filesize
45KB
MD510cf284cce2bd63ac1f300a4126fb020
SHA16f63d14f73fbb11118ad272adc6fb521db2b6fb7
SHA256e65753e73bd4a7abe0d0ec6c616172cdfe6cfcdfeaff17868a9b3c65a786d53e
SHA512814cbf1eb9d45a294b216cd8ce25b553388dab90cfd09e47bdf33e9e0fe9cd57fd2dfae62458396381f35f20f3c383ff89ad84b9386cbe4dbd3e11789b92e68e
-
Filesize
488KB
MD568a1c25c415ed200ebaffaf2a080f82f
SHA1e70c0e267e77996553afb7f1fd34e0592ea7ab1b
SHA2568098974f91b35b0f293b53ae1e5cb55fc2d72a9962d6280dfdd519645f972d57
SHA512e1042e5ea0ea41edf895fcaab82b90ffd3905ba88c5d158aed00d18ad650d9ef63f02b5a4e417864ed09a095d11dcccc58744a3a5a5aea1fbffab300d6925842
-
Filesize
488KB
MD529f971ec5a748038cac0564558632f29
SHA151b5efb6ee488fe92ec0f89243465c7f93a60ba7
SHA256daa5340fd46dbbae5554e69f971c2a29494876d573777ad7222c791924016234
SHA5127e451e5967c6b077303abc48289d302ba2bb0a7cba6ec4d6bd13265c380691bd3f4c071fe9ca38682e39ae30bb5e82069c49283b9572da6c1f52edee92b89c04
-
Filesize
488KB
MD5c401cbd190e2a2111ed84623ad49fcb8
SHA11f260ba126dbd0b58956d2cd5c30bb89f2d3902a
SHA2564bc5cd31d41e2e3dc87a0990b83dca35cb2d288ae2b261c261eed30263148067
SHA512d6263167c6db5e439d106225246d4c90fa002f2fb760c4c5c6e61da31f7bf5159ce8cec8243834680daa8e7b166a4751f8c2796104c307272d4f57d5637adcaa
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
488KB
MD5421f33278ba0ac000cb9f3fcacb956ef
SHA1ddc1ac82f98dca50e663fa06b10963d869f839fe
SHA256409b32d0ffac221173a16e8164a68c38d663d581ea711acac4ebe416763bdbbd
SHA5127d7f5c182fe98aa1bef05b47445204aaed0f4d5203866bcc38d525e80d98dc034eff73c1788c02c6c459c64b31c0752442c7da7ad2905e0302d112882dfc2b25
-
Filesize
488KB
MD5270a1750fe3379466dc2fa9c82183212
SHA18113c6cb8a42e4ce97ee4dec9ab05a204d4d040c
SHA25618af4d38cce3f9f83374d49572d19b14e13326c1afac0eba6ca1a98de9d567e5
SHA51292188cc37a50806ca029df8bae580f6e0fa7d9d0587ccfb5897b9b4e682ac695c6dfca37212d3e37fe17a1aff60c7b499a21c4b844d41776acafb8db0fffbf9f
-
Filesize
488KB
MD5bba2c8430b55152718d8aa3a29e69748
SHA16777b0461801d1733adebd4db0add498fe0b0f74
SHA25607bfcb969e428ad53e3539f7906e3ff23d04daa4d3068c959158f783c0b5f467
SHA512e82cf624a2874613b067213a9af5bea2b062e7f4620b7fbb3ea8dccdef906488976587b730d1bfae256f52d6126bc0f252f7576ed13e0e4c874d177c59b1cbc8
-
Filesize
488KB
MD55953ebd2fec51a3466574c73734b3310
SHA102e7ed57055aca483933a7906be4a171f132edd7
SHA256c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797
SHA5123ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386
-
Filesize
488KB
MD5ac82e9437955e15cd506bab204d121cb
SHA1e644ce8c9e025f6e4d3f2f2fd118cd5a7e77ae30
SHA256cff0b4dc1352f790e9eead7611edd1f0bf76c4018ab606eb98a812d72fa659d2
SHA5122661781b8bea2a5e5f161ee4937e16ad40c171233c42f08348ed9cde82190454f3b2c453439818dd41a695a43776c73f8e667df78c0063c89810b81753f95d98
-
Filesize
488KB
MD5548de2ca8aa457672d93e67908e22f68
SHA1dbec4f8d185af6ee459d65450b040908ed14117f
SHA256b5b589a2906a96bc06f50dee74087b3344310950ca8b25fbc5c390394b4fcc91
SHA512400c6c1f1b644406ccd36ab6fc0055f006b339e20b621d4de63ca1331866555994582ae5ee132a4dd9558c9f7fb8fc672811d8ba5006f8b947821c54dc872e33
-
Filesize
488KB
MD5cf7e59d1f5c1032874822b24f1eaf5fb
SHA14c90be622487b8a3c7276c49abad9bf11ce50f9b
SHA2563e8e820c9434e288359f4668a071c990bb03523cf1bb1740cb4cc473f6f0a82e
SHA5126dcaae9a3ce09e161313051d6397dbfe1b42133a3e381e52243b3303d914704dd24fcbb1d38f4108da43b2679ce69db3957134dc7f1866e7d818a1ac7741268d
-
Filesize
488KB
MD5ce413838dca2ebe04693f608ab72c3e7
SHA1e47c0ebb12d2b9a23fbc22468fa8c5ed9b617bce
SHA2568dedba30d34a4aa780fa86b456752ac5f2dbdf8148ad74e6d1637e62b8f6000a
SHA512cb39d28046b05a47ee9b15683b3722803d05a4dd4be6c31e266d8163ff893c68aa34579436b499e6c666d53664bc0acce64e7b15e4427f080fd17251c55df209
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
488KB
MD59691be527acea3df5e832488c08d1f78
SHA151d2e99a5fe494f4193d82708a68f3e297a0cafe
SHA256465ab76d37735d8075cd283a1ef4f14d1f9c777117fbea6db26073ac1d5bc7c3
SHA51201177b5b737ce7ddeab5ac12f5c3d8b0e0064a80e8febf3507575eccaf24ee63a830083246395a972db602e44651ed3d975b515a5657008d20b37336dad3cda8
-
Filesize
488KB
MD520d8d5312ed06913846112075c9699a9
SHA1cfed976ad84fa8f059af1df0df68effeb586d2c3
SHA256fbab73e0da650968903b034c45c800e5b35d6858f01afc904726e140ad1c0093
SHA51278ee8a21a7fbedcffbdaa04a07fd81d8e5a9088a06f61552603419039bc1792b9225688435da07cd32fd6b7cef71f97411dbb77f4c2a865b1dcbb49d1f7135f4
-
Filesize
488KB
MD57c213c5086079158acd667fdd6c0a7c8
SHA14921c072ac9f69d5c88e6df3c632d4ffbd57c768
SHA25613df1bfec466bbc19abc4096da5c768c87a7a90f9b384b40f684f4d7efc2698f
SHA512c76f0b4d1e20c6ec73da90ffb5602d407d902ae35594767b9d410403eb43c187ba7392e101b8421bdad22c666cf42243c1cd1d8602c5fe3224cb0882b31ca1bb
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
488KB
MD5cea2626b00637275d35d410b80d90637
SHA1af21fb9f93feaeb0d2d68c6161d834c33ba2be1b
SHA2564d145678a136f819cfc26e0956784fc6305e3ea895eae546988e3fb9a4da9841
SHA512ad72525ab48d6dfd6bdb6a61d7ecc959b6799d1e1ad610fcef1ad36242b37078dfc9e848acadaf35a05ad69e2624f46e1b515e22cd6720e478379c9cc7cc839c