Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
Resource
win10v2004-20241007-en
General
-
Target
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe
-
Size
488KB
-
MD5
5953ebd2fec51a3466574c73734b3310
-
SHA1
02e7ed57055aca483933a7906be4a171f132edd7
-
SHA256
c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797
-
SHA512
3ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386
-
SSDEEP
12288:V/Mz/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VwK2O2HIBEd7M
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2824 Tiwi.exe 2480 IExplorer.exe 5028 winlogon.exe 5052 Tiwi.exe 1432 Tiwi.exe 864 IExplorer.exe 4760 IExplorer.exe 3896 Tiwi.exe 1132 winlogon.exe 1596 IExplorer.exe 3836 winlogon.exe 4848 Tiwi.exe 2328 imoet.exe 4476 winlogon.exe 760 IExplorer.exe 3856 imoet.exe 1416 imoet.exe 1660 cute.exe 968 cute.exe 2384 cute.exe 2076 winlogon.exe 4112 imoet.exe 3596 imoet.exe 1028 Tiwi.exe 1548 cute.exe 3928 cute.exe 1976 IExplorer.exe 216 Tiwi.exe 4304 winlogon.exe 1468 IExplorer.exe 688 imoet.exe 400 winlogon.exe 2464 cute.exe 4300 imoet.exe 4076 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 5052 Tiwi.exe 1432 Tiwi.exe 3896 Tiwi.exe 4848 Tiwi.exe 1028 Tiwi.exe 216 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\U: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\B: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\G: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\S: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\R: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\Y: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\N: c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe -
Drops autorun.inf file 1 TTPs 10 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\autorun.inf IExplorer.exe File created C:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\autorun.inf c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe File created F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\shell.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\tiwi.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe cute.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s2359 = "Tiwi" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2824 Tiwi.exe 2328 imoet.exe 5028 winlogon.exe 2480 IExplorer.exe 1660 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 2824 Tiwi.exe 2480 IExplorer.exe 5028 winlogon.exe 5052 Tiwi.exe 1432 Tiwi.exe 864 IExplorer.exe 4760 IExplorer.exe 3896 Tiwi.exe 1132 winlogon.exe 1596 IExplorer.exe 3836 winlogon.exe 4848 Tiwi.exe 4476 winlogon.exe 2328 imoet.exe 3856 imoet.exe 1416 imoet.exe 760 IExplorer.exe 1660 cute.exe 968 cute.exe 2384 cute.exe 2076 winlogon.exe 3596 imoet.exe 4112 imoet.exe 1028 Tiwi.exe 3928 cute.exe 1548 cute.exe 1976 IExplorer.exe 216 Tiwi.exe 4304 winlogon.exe 1468 IExplorer.exe 688 imoet.exe 400 winlogon.exe 2464 cute.exe 4300 imoet.exe 4076 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 2824 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 84 PID 4780 wrote to memory of 2824 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 84 PID 4780 wrote to memory of 2824 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 84 PID 4780 wrote to memory of 2480 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 87 PID 4780 wrote to memory of 2480 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 87 PID 4780 wrote to memory of 2480 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 87 PID 4780 wrote to memory of 5028 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 88 PID 4780 wrote to memory of 5028 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 88 PID 4780 wrote to memory of 5028 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 88 PID 4780 wrote to memory of 5052 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 89 PID 4780 wrote to memory of 5052 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 89 PID 4780 wrote to memory of 5052 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 89 PID 2824 wrote to memory of 1432 2824 Tiwi.exe 90 PID 2824 wrote to memory of 1432 2824 Tiwi.exe 90 PID 2824 wrote to memory of 1432 2824 Tiwi.exe 90 PID 4780 wrote to memory of 864 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 91 PID 4780 wrote to memory of 864 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 91 PID 4780 wrote to memory of 864 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 91 PID 2824 wrote to memory of 4760 2824 Tiwi.exe 92 PID 2824 wrote to memory of 4760 2824 Tiwi.exe 92 PID 2824 wrote to memory of 4760 2824 Tiwi.exe 92 PID 2480 wrote to memory of 3896 2480 IExplorer.exe 93 PID 2480 wrote to memory of 3896 2480 IExplorer.exe 93 PID 2480 wrote to memory of 3896 2480 IExplorer.exe 93 PID 4780 wrote to memory of 1132 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 94 PID 4780 wrote to memory of 1132 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 94 PID 4780 wrote to memory of 1132 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 94 PID 2480 wrote to memory of 1596 2480 IExplorer.exe 95 PID 2480 wrote to memory of 1596 2480 IExplorer.exe 95 PID 2480 wrote to memory of 1596 2480 IExplorer.exe 95 PID 2824 wrote to memory of 3836 2824 Tiwi.exe 96 PID 2824 wrote to memory of 3836 2824 Tiwi.exe 96 PID 2824 wrote to memory of 3836 2824 Tiwi.exe 96 PID 5028 wrote to memory of 4848 5028 winlogon.exe 98 PID 5028 wrote to memory of 4848 5028 winlogon.exe 98 PID 5028 wrote to memory of 4848 5028 winlogon.exe 98 PID 4780 wrote to memory of 2328 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 97 PID 4780 wrote to memory of 2328 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 97 PID 4780 wrote to memory of 2328 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 97 PID 2480 wrote to memory of 4476 2480 IExplorer.exe 99 PID 2480 wrote to memory of 4476 2480 IExplorer.exe 99 PID 2480 wrote to memory of 4476 2480 IExplorer.exe 99 PID 5028 wrote to memory of 760 5028 winlogon.exe 100 PID 5028 wrote to memory of 760 5028 winlogon.exe 100 PID 5028 wrote to memory of 760 5028 winlogon.exe 100 PID 2824 wrote to memory of 3856 2824 Tiwi.exe 101 PID 2824 wrote to memory of 3856 2824 Tiwi.exe 101 PID 2824 wrote to memory of 3856 2824 Tiwi.exe 101 PID 2480 wrote to memory of 1416 2480 IExplorer.exe 102 PID 2480 wrote to memory of 1416 2480 IExplorer.exe 102 PID 2480 wrote to memory of 1416 2480 IExplorer.exe 102 PID 2824 wrote to memory of 1660 2824 Tiwi.exe 103 PID 2824 wrote to memory of 1660 2824 Tiwi.exe 103 PID 2824 wrote to memory of 1660 2824 Tiwi.exe 103 PID 4780 wrote to memory of 968 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 104 PID 4780 wrote to memory of 968 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 104 PID 4780 wrote to memory of 968 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 104 PID 2480 wrote to memory of 2384 2480 IExplorer.exe 105 PID 2480 wrote to memory of 2384 2480 IExplorer.exe 105 PID 2480 wrote to memory of 2384 2480 IExplorer.exe 105 PID 5028 wrote to memory of 2076 5028 winlogon.exe 108 PID 5028 wrote to memory of 2076 5028 winlogon.exe 108 PID 5028 wrote to memory of 2076 5028 winlogon.exe 108 PID 4780 wrote to memory of 4112 4780 c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe 109 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe"C:\Users\Admin\AppData\Local\Temp\c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1432
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3836
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1660 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:216
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4300
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1416
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5028 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3928
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2328 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4304
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:688
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:968
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1548
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5567521375f63dd7cbe6c813505676a0c
SHA1f2a3be0c8dde733e1d96e66dd1816e6f241a154e
SHA256369fb71301ac273dd1ca45145fe0c22c23049e62859aed2a40ddd32e12018ab7
SHA51234dab2aa349920438bdfc65919c893a195d6b17900fbf6d9be31253f613303cde6aafad345fe8847ca15bcf62fb36c66494e50e19c331af77c81c80d67e20cb4
-
Filesize
45KB
MD5a677aa98d280550592abe7546383066b
SHA1d167b835028e15ecb597b709730a343824259216
SHA25635e743e4250b479951d7b2ad152877dcb46c21ff2758d7ec3c9ae1e16b023c7a
SHA51264f300d114f578b91363874ff097f575f0137c02e7661e0daa7c80ce721b0296b426647a9d5fca30b4934dec640b43a52f6bcf3a0955490f7de3d461f81cdd93
-
Filesize
488KB
MD549b6ea1a0bf4e85bf16f0d9a0edd5aeb
SHA1fc12e5be50e3ab3c91f44512c571c0d2f9b18b42
SHA2566c1901b9262c424557dd893f5620ceb283b0eef4cf262c3a2d2f12c6fb8ca744
SHA51202eec64784ebf57a2fcaa44b8fcf6dc924b9d99ee1739a63e2f0fd2ee6e9fac0af878551246aaa844686ba4288d250d56e5a169a68f83011d3702ef8390b5b83
-
Filesize
488KB
MD58e7333e6a87a7675aae7b95673ee6777
SHA11c4cbc153f818abed437bbbb60188d06de1bb3d6
SHA256190a4245c2d8a5ec216b314cf335fe2033087957abf27f74e2091dd40dba5dab
SHA512398c58e55f65ff408697a2cf37b2b617881561d9eb40ac13338a1b9377d0b6f30d3f6b8ac088bdc083a2d9ed83b84b3afde7c4d57229a89a9509f465c3244301
-
Filesize
488KB
MD55231585ab17c706f8de238923b815567
SHA18ce51fd0504f90f49ddde1d48187d00f67abd37d
SHA2561dbc9abcc89788c9e487ad7324e7aa59ad09d457c762f046efcd761550803521
SHA5121121084bae327bb5855c031c2a643fc80d8c3422c52c74ac2eb5eabce6f91ff941cb9cf1830ec1d9232f846c5d2e493bb4f01d72b25493903e3df89bdb175860
-
Filesize
488KB
MD570c8beee4faf73f81cf17df736bc98dc
SHA148be58c07b3b0700b7cf0860df40e2f1cf53c3eb
SHA256523f07ae67c962f76272c1a501bb87ad93e73af5e41e3ca955b3f0983fecd792
SHA5122175b9dc8eebca1adfef85801ababcb0123b12449a3a204516d68b0d8ce92131ab922f023e5375b913f2d6fc4ba80e80ca535f27da6fcdeef61802bdcd03827f
-
Filesize
488KB
MD5d09327a594e3e74a395b3d774e26d538
SHA14cbf04b3ec3f19f5fd340e3f0dd53c3b599c61d7
SHA256a23f479ab36981e53d2b0dfe503b2c1f19285139193ed1e36bfd93ef2bf199ba
SHA5129f2dad93c249dda39e949e174a0044ae77c39e6f062aa827bad5ff634b2f95ac0104ca6395d11367cc1ee91ba44ccc743eaf5dad8825a1dadc07da105d1647d2
-
Filesize
45KB
MD5a88273c4ea0ed3fdd48da2e519bdc5e3
SHA1988b98c36d4b4fccba78f5af153b474a45c40d6f
SHA256345371dd1564cdde735ef673ae6ee0ba740c38eccd8bb4646424b53d717c8414
SHA512c89feb9acb69fe8b3081493f877f4f915bd0db886f0bcaf675dae96e9a17ae047c097755d3de84291b39e860762ab6ab492d13bb4bbaf45693dd67eb96bcefe8
-
Filesize
45KB
MD585adc3b260ed3bb13db17b7f3e418692
SHA15e316db8d51339222319e565e6d662795ae5622a
SHA256499a9ead95d7a5cb38c0aa83752a400be68a567b4647cddde298c6ff31a3766c
SHA5124e213678daa7948660cadfcf38271a87efe55e945855a0a20b30b7c210ba826b34a892924da3387cf3a2aa4abee79ce2a8a670c06ca64bc40e52ac4566f7ffaa
-
Filesize
45KB
MD53a043bad051c5eea97e6900b8a7bbf4c
SHA11e470c528f138f3c34c05ca6a442f0fa72017000
SHA256f4b2c78c9cae09dadbdc49f3202974e7c85bf27d097490c4b11ec46ba984c89f
SHA5126c495e809a606834b996a623c8aba1932ad0bbbac26384ef38c559bf9d244c286429eaa947265708c218ddc4b711698fc70038bb6b1b601dd9f75b7cda680bb1
-
Filesize
488KB
MD5ac977d27db9c509a417b6561d0a97b22
SHA166048aa18e5fd486635ed01479e6e28a31dbe2d8
SHA2563340eadc7de317b52eb8df87dd57da4d82451e834bfa2d9e977448b22ae3b78b
SHA512e3146151183015a49fbd97db1c51379584db6268f644dff8da1e59edaef676fff70b5951df2fb3e7da1d73f3c4e800e197460cf91a768fdc94949442d3e11aad
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
488KB
MD524c3a3ed062254a12f09a98cce6a63de
SHA119af1614a57e9f3bc6b3a85880ab9e334aad801e
SHA2568fdbe7a3b648116af237cf347cb94e02628b0ba9b4c8fe286a9bbd3be6ea10c6
SHA51213e54f0e245290869527bab8a09dfdc173ceb331388132103f13eccacb733dd457cad979199bd62cdfeef77146dd57f2e4c0e3ae70701152dd92d34693994525
-
Filesize
488KB
MD55953ebd2fec51a3466574c73734b3310
SHA102e7ed57055aca483933a7906be4a171f132edd7
SHA256c59eb4f8d98f061c05e1ed29e8d5022121e06d68e93ff1d7a97f4cf4c98fd797
SHA5123ab1adcc4928bd828377e0e8a82bbc16e047da8920b6efc63e8f59ead277e317312410598158154fae38a476e9b85b5107cd7cbbd42cc42470eaa21227c72386
-
Filesize
488KB
MD5e479b4b8f0f97311af38ffaddf32c07a
SHA1db8355dd64026f139c9200396bae9f81cdb8229f
SHA256e3a20e91d8293869ea4b1d06cd8e4a291715fb1c9df763fac19ac0745ce884b9
SHA512870fc06e409e010532587a408610cac7fe948e44255d29f09469542634dad6dbd3165865b8a10104ec2bc1de99d3c0f4f811b3314b495fb806c3170441cc7c86
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62