Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe
Resource
win10v2004-20241007-en
General
-
Target
a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe
-
Size
488KB
-
MD5
96491cc3d37f3c953a017fd6bb7d80f9
-
SHA1
9eae6f9e6bf78055de34233d46f2e07fb054c1c2
-
SHA256
a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
-
SHA512
92efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa
-
SSDEEP
12288:V/M9/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V+K2O2HIBEd7M
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 456 Tiwi.exe 2564 IExplorer.exe 3904 Tiwi.exe 3840 IExplorer.exe 3652 Tiwi.exe 3188 Tiwi.exe 1632 winlogon.exe 4564 IExplorer.exe 1856 IExplorer.exe 4332 winlogon.exe 4276 imoet.exe 2768 winlogon.exe 3492 imoet.exe 2016 cute.exe 2820 imoet.exe 1400 Tiwi.exe 3824 cute.exe 3756 Tiwi.exe 3912 cute.exe 4620 IExplorer.exe 4384 winlogon.exe 3632 IExplorer.exe 4976 winlogon.exe 2532 imoet.exe 464 winlogon.exe 3576 imoet.exe 2200 imoet.exe 808 cute.exe 3988 cute.exe 2080 cute.exe 1572 Tiwi.exe 4524 IExplorer.exe 4464 winlogon.exe 1912 imoet.exe 3596 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 3904 Tiwi.exe 3652 Tiwi.exe 3188 Tiwi.exe 1400 Tiwi.exe 3756 Tiwi.exe 1572 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: cute.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\Z: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\T: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\G: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\K: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\M: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\P: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\Q: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\L: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\Y: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\X: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\J: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\X: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\W: a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\X: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification C:\autorun.inf a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File created F:\autorun.inf a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification F:\autorun.inf a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\tiwi.scr a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File created C:\Windows\SysWOW64\shell.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File created C:\Windows\tiwi.exe a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ cute.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ cute.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 456 Tiwi.exe 4276 imoet.exe 1632 winlogon.exe 2564 IExplorer.exe 2016 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 456 Tiwi.exe 2564 IExplorer.exe 3904 Tiwi.exe 3840 IExplorer.exe 3652 Tiwi.exe 4564 IExplorer.exe 3188 Tiwi.exe 1632 winlogon.exe 1856 IExplorer.exe 4332 winlogon.exe 4276 imoet.exe 2768 winlogon.exe 2016 cute.exe 3492 imoet.exe 2820 imoet.exe 1400 Tiwi.exe 3824 cute.exe 4620 IExplorer.exe 3912 cute.exe 3756 Tiwi.exe 4384 winlogon.exe 3632 IExplorer.exe 4976 winlogon.exe 464 winlogon.exe 2532 imoet.exe 3576 imoet.exe 2200 imoet.exe 808 cute.exe 3988 cute.exe 2080 cute.exe 1572 Tiwi.exe 4524 IExplorer.exe 4464 winlogon.exe 1912 imoet.exe 3596 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4120 wrote to memory of 456 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 84 PID 4120 wrote to memory of 456 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 84 PID 4120 wrote to memory of 456 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 84 PID 4120 wrote to memory of 2564 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 86 PID 4120 wrote to memory of 2564 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 86 PID 4120 wrote to memory of 2564 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 86 PID 4120 wrote to memory of 3904 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 87 PID 4120 wrote to memory of 3904 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 87 PID 4120 wrote to memory of 3904 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 87 PID 4120 wrote to memory of 3840 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 89 PID 4120 wrote to memory of 3840 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 89 PID 4120 wrote to memory of 3840 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 89 PID 456 wrote to memory of 3652 456 Tiwi.exe 90 PID 456 wrote to memory of 3652 456 Tiwi.exe 90 PID 456 wrote to memory of 3652 456 Tiwi.exe 90 PID 2564 wrote to memory of 3188 2564 IExplorer.exe 91 PID 2564 wrote to memory of 3188 2564 IExplorer.exe 91 PID 2564 wrote to memory of 3188 2564 IExplorer.exe 91 PID 4120 wrote to memory of 1632 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 92 PID 4120 wrote to memory of 1632 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 92 PID 4120 wrote to memory of 1632 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 92 PID 456 wrote to memory of 4564 456 Tiwi.exe 93 PID 456 wrote to memory of 4564 456 Tiwi.exe 93 PID 456 wrote to memory of 4564 456 Tiwi.exe 93 PID 2564 wrote to memory of 1856 2564 IExplorer.exe 96 PID 2564 wrote to memory of 1856 2564 IExplorer.exe 96 PID 2564 wrote to memory of 1856 2564 IExplorer.exe 96 PID 456 wrote to memory of 4332 456 Tiwi.exe 97 PID 456 wrote to memory of 4332 456 Tiwi.exe 97 PID 456 wrote to memory of 4332 456 Tiwi.exe 97 PID 4120 wrote to memory of 4276 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 98 PID 4120 wrote to memory of 4276 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 98 PID 4120 wrote to memory of 4276 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 98 PID 2564 wrote to memory of 2768 2564 IExplorer.exe 100 PID 2564 wrote to memory of 2768 2564 IExplorer.exe 100 PID 2564 wrote to memory of 2768 2564 IExplorer.exe 100 PID 456 wrote to memory of 3492 456 Tiwi.exe 102 PID 456 wrote to memory of 3492 456 Tiwi.exe 102 PID 456 wrote to memory of 3492 456 Tiwi.exe 102 PID 4120 wrote to memory of 2016 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 103 PID 4120 wrote to memory of 2016 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 103 PID 4120 wrote to memory of 2016 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 103 PID 2564 wrote to memory of 2820 2564 IExplorer.exe 104 PID 2564 wrote to memory of 2820 2564 IExplorer.exe 104 PID 2564 wrote to memory of 2820 2564 IExplorer.exe 104 PID 1632 wrote to memory of 1400 1632 winlogon.exe 105 PID 1632 wrote to memory of 1400 1632 winlogon.exe 105 PID 1632 wrote to memory of 1400 1632 winlogon.exe 105 PID 2564 wrote to memory of 3824 2564 IExplorer.exe 106 PID 2564 wrote to memory of 3824 2564 IExplorer.exe 106 PID 2564 wrote to memory of 3824 2564 IExplorer.exe 106 PID 4276 wrote to memory of 3756 4276 imoet.exe 108 PID 4276 wrote to memory of 3756 4276 imoet.exe 108 PID 4276 wrote to memory of 3756 4276 imoet.exe 108 PID 456 wrote to memory of 3912 456 Tiwi.exe 107 PID 456 wrote to memory of 3912 456 Tiwi.exe 107 PID 456 wrote to memory of 3912 456 Tiwi.exe 107 PID 1632 wrote to memory of 4620 1632 winlogon.exe 109 PID 1632 wrote to memory of 4620 1632 winlogon.exe 109 PID 1632 wrote to memory of 4620 1632 winlogon.exe 109 PID 4120 wrote to memory of 4384 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 110 PID 4120 wrote to memory of 4384 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 110 PID 4120 wrote to memory of 4384 4120 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe 110 PID 4276 wrote to memory of 3632 4276 imoet.exe 111 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4120 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:456 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4332
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3912
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2564 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3188
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3824
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3904
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3840
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1632 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3576
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:808
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4276 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3756
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3632
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3988
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2016 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5211a89b15eb2d9d536da748246d863f6
SHA138881e75efa792aaf0db65faadc428192295a4c4
SHA256add73ef68733cebb8d94a535e31412c0614ffa6a8a2e266dfdb435a1f7144ff5
SHA512497fe08040936c7f1839833a15298c9a0d9f7736a56cc49119c8f1bceece533f646ef194c66eecbf445c102d7ee4ee4423069d053ba21316fc08252fbe0f1e9b
-
Filesize
488KB
MD5bd7debbfe3b8be0f6881f8df00b53aad
SHA12de40d26749d882211248ce8ab192c25e2cd34df
SHA256f49a28e6b56b25d5489e260d554f6ab413207fcdbe1ab23201f49edb94e8d34b
SHA512bff6142aadc76d2f36b80024b40a72777568bc2fa7c23ce4193aedb59c1cc87be2d17bc1f78f722ad08cd3d67d2fea2ab8840158c177e370eae8ea0109cfb5f1
-
Filesize
488KB
MD5ec114581537b5939c3d371e942ed6ff6
SHA1dd267dc58f4eb6e86147da981cbefebaa5fcc402
SHA25682deea64bc4cd9e5b7b62754fde0d1a19dd7e2811b8b1f7e3f5b4b18da0b7441
SHA5121be0313534a9883b6f732a41f2d24937d1c55526dd8a97efd9ebc0cec2d4510db9d726544b0ece33f0d03639f59a8af76d6c8901adf583db28b3d77d6c17ac65
-
Filesize
488KB
MD500b9363bf2bf749862edd5e2d9d11414
SHA14f7575bd02b4fb10e5f52a2e36203e8e8bf1c882
SHA25673a0cc5ab73b57de95e33a241cb5f52b7bf27a2ff6ff993ef79f741171fdeb9e
SHA512623aa68a32f745c4ec913bc8a8773a61211e97e15a7387ca58ba1d5d78a6927787694869e282290a2d858f8779bb3d8874a689a2ac2e2319588d5ab1388efb2a
-
Filesize
488KB
MD5d71fcc341bc9c23945e918712b59f97c
SHA1ad4a2da79d6b7d0ef5de9e2e6f95794a6927f005
SHA256ebb8fd1ec721876bfbb5847611c026623179739d86aa82abf7b576735c214789
SHA512e64ab6c5c14109f67324b5a55a868acfcc30f5637b6252fd32a34524179a41026fe25250c95c7978ec3d3cc334c7ad5f5ed8636ab083173889a4c589c8d9c7c8
-
Filesize
45KB
MD5d9383fcdbedb1a752e54f905f4e1028b
SHA17b616ee9630f571ce292cb2929a93691c4cea1e1
SHA256286a21e47f1008ad942b5e63c744b2dac444d59aed383f1b869e8785af0eadb4
SHA5123a7706eb9f9ae53545ced42d8635c3f7e8fbce38196f0f1d1a53253013058147caa79d040c4ad7988a236bce681acc21fdff2e549412cc5025e7e8acc151f3b7
-
Filesize
45KB
MD534244406f807ba4c44bd103c3ac85a6e
SHA1202ac1197a5def904bcd3d3aa003cba6fa3da84b
SHA256a48a370ef506e06a3a350bcfdf5803737678cbe3f66cc8db72404b20e3ea4cd1
SHA51246512c4764306bffddb0f3cc81bd7b342353ee413d8ea42b28f05b2f4c97afc65eed0ba4bc2a06aff1a61e32ff86119efa2ace9f884f0f1b0e2ae756c8475b52
-
Filesize
488KB
MD596dd4c7bc1fc022bbcb1880ad8fe3ef8
SHA15bb3c5e5d1ea381f4495bdb58943c89b528c489d
SHA256447ad949819f35ce96e0e5c839482305b36e75b4741876b5b5bdace87799847d
SHA512fd45c1150a9150f8786b9e7a32c740a2f581b5450febebbd10ac31c23eb12e8dc6e9714905a0785c7b6a1e97ccb870490f11960dbdcd821e81582d4641c9e29d
-
Filesize
488KB
MD529e3d0e558a1df3906cc63f96dcc4354
SHA1e3b293f0b156a6bf847e54e76af42b7deaf209c0
SHA2563f31cfa22fcfd1b7bfeacdeae266a021ccccf4a5181da00be72be4196a7957c2
SHA51297c42e958fb39e7d8c214738b05b6f7c3975057e9a3b27c2e51e754a0c041d73687593b197afe364286083581e39d5f6b53c557abc6f2fea9098a58d8f7ac402
-
Filesize
488KB
MD5e72d853495a522d923673d41d50d7a83
SHA188da6c348c603358ded51f546a7d68238e73315c
SHA2563b0cd5cdeb3f83bfd6fe75e589005e726ec536853904a92b817ab13e35340038
SHA512ed6e19f979cd259307d7d16a972aa1457e8300888c9a8e81d840cee516f2506f391738ef26ef4ac5084afa6201941b8cf0b4ffffef0b3680b8a92d5f6c7e401e
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
488KB
MD51645df816282a40ffc60bcff71e6a333
SHA17ef3ce52eef3088737da97c0b524915ec39a70d2
SHA2569566ab931ea3325dc13c4a575452fd459ed62a933d1405688eb8a715b3fb9f38
SHA5124c7a9962b2b13f72356fc6409bdeb4170363cbf77eb88e2572f820f962e1cea09d17f76ee5ef4ad8a9408209a589466268401ae6f9dd02fcad10d22e5b555a71
-
Filesize
488KB
MD5cae87c40d36cb91d2a05abd5fd7cbdba
SHA13ea8b253aa98e30fe7b51ae30d151577e6db7b19
SHA256be2480b670c089927c0a142ca44aec38960c601e6b39536a207fce8c244155c5
SHA5123b92407231405fd10f2a03eafcb0675e2d0a5a4c99b0b321ff0b91a1a70c52d85cdbf29097016093e5791d20c4cb442f3503d6942e10078d443739709be18cfb
-
Filesize
488KB
MD596491cc3d37f3c953a017fd6bb7d80f9
SHA19eae6f9e6bf78055de34233d46f2e07fb054c1c2
SHA256a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
SHA51292efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa
-
Filesize
488KB
MD52bff5aac327063eb072ba28ba42d6a81
SHA1e6a8697acabc1d2cf93cb4359f26a3382e6330ed
SHA2562e98aed222786ead46b0984e1e8ea12c07d3ec2061faef8fcec62668d18cc174
SHA5122544fa03d7135309a273cac2185a79d4e8fbc7ba4e79ef4ee0be6426c9d390bb705c0978fe74d3ef271bb9753b5f481505048ad809180a2bf7481b110f25173b
-
Filesize
488KB
MD58eb42c4a8d5ae1ff4b59e04a870e72a2
SHA107641442200937ce2bdbd239b8646bbe987373fd
SHA256d94f1d34b89b35d4cbab13f5fbdd5a49d4e53385f8539fe2753c6d49382b68a3
SHA5125ad7d50e798e774312cd9f09dfc503638333afeb6e320f9ef2b45fa014a33e949eae39104b41b6be76f498fc98a76f45abc189f86bd1ac5ba9220c4e52b35df7
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
488KB
MD50673b28a35dd4c6e121a846e816e08bf
SHA18f906938477d2236eccee94f332cc1745f521c01
SHA25626a57e7b69332f5f6abfb97b1811cd61ba8b384bc20d786d1477211fcc62c76d
SHA5129189529173b5155e7ac0eab6dad3d8ce005959bb9e0d6a4ba610ab45e61cc38cc9e7fdd6ec3aa908b32f27b96da02b82302050f6f1b15bf3a6b46db63a094c49
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62