Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
Resource
win10v2004-20241007-en
General
-
Target
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
-
Size
56KB
-
MD5
b0be3102b32edd9264701e3d79b815c7
-
SHA1
08b6c5c0256fd6475980744d5955a59a739eb87d
-
SHA256
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
-
SHA512
58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d
-
SSDEEP
768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekf:V8w2VS9Eovn8KRgWmhZpX1Qyw
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2740 Tiwi.exe 2520 IExplorer.exe 1952 Tiwi.exe 1368 Tiwi.exe 2396 IExplorer.exe 768 IExplorer.exe 2156 Tiwi.exe 1312 winlogon.exe 2228 winlogon.exe 2312 IExplorer.exe 1980 imoet.exe 2668 imoet.exe 2176 cute.exe 1668 winlogon.exe 3048 imoet.exe 1732 Tiwi.exe 1088 cute.exe 1704 cute.exe 3000 IExplorer.exe 2868 winlogon.exe 2872 Tiwi.exe 3020 imoet.exe 2848 IExplorer.exe 2876 winlogon.exe 2712 imoet.exe 2708 cute.exe 1508 Tiwi.exe 708 winlogon.exe 1084 IExplorer.exe 568 cute.exe 1960 winlogon.exe 3004 imoet.exe 600 imoet.exe 700 cute.exe 3028 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2740 Tiwi.exe 2740 Tiwi.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2520 IExplorer.exe 2520 IExplorer.exe 2740 Tiwi.exe 2740 Tiwi.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2740 Tiwi.exe 2740 Tiwi.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2520 IExplorer.exe 2520 IExplorer.exe 2520 IExplorer.exe 2520 IExplorer.exe 2740 Tiwi.exe 2740 Tiwi.exe 2520 IExplorer.exe 2520 IExplorer.exe 1312 winlogon.exe 1312 winlogon.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 1980 imoet.exe 1980 imoet.exe 1312 winlogon.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 1312 winlogon.exe 1312 winlogon.exe 1980 imoet.exe 1980 imoet.exe 1312 winlogon.exe 1312 winlogon.exe 2176 cute.exe 2176 cute.exe 1980 imoet.exe 2176 cute.exe 2176 cute.exe 2176 cute.exe 2176 cute.exe 1980 imoet.exe 1980 imoet.exe 2176 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\V: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\J: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\T: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\R: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\Z: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\B: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\X: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\M: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\I: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\H: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\E: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\Y: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created F:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification F:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\tiwi.scr b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\SysWOW64\IExplorer.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2740 Tiwi.exe 1980 imoet.exe 1312 winlogon.exe 2520 IExplorer.exe 2176 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2740 Tiwi.exe 2520 IExplorer.exe 1952 Tiwi.exe 1368 Tiwi.exe 768 IExplorer.exe 2396 IExplorer.exe 2156 Tiwi.exe 1312 winlogon.exe 2228 winlogon.exe 2312 IExplorer.exe 1980 imoet.exe 1668 winlogon.exe 2668 imoet.exe 2176 cute.exe 3048 imoet.exe 1732 Tiwi.exe 1088 cute.exe 1704 cute.exe 2868 winlogon.exe 3000 IExplorer.exe 2872 Tiwi.exe 3020 imoet.exe 2876 winlogon.exe 2848 IExplorer.exe 2708 cute.exe 2712 imoet.exe 1508 Tiwi.exe 708 winlogon.exe 1084 IExplorer.exe 568 cute.exe 1960 winlogon.exe 3004 imoet.exe 700 cute.exe 600 imoet.exe 3028 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2740 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 30 PID 2404 wrote to memory of 2740 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 30 PID 2404 wrote to memory of 2740 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 30 PID 2404 wrote to memory of 2740 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 30 PID 2404 wrote to memory of 2520 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 31 PID 2404 wrote to memory of 2520 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 31 PID 2404 wrote to memory of 2520 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 31 PID 2404 wrote to memory of 2520 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 31 PID 2740 wrote to memory of 1952 2740 Tiwi.exe 32 PID 2740 wrote to memory of 1952 2740 Tiwi.exe 32 PID 2740 wrote to memory of 1952 2740 Tiwi.exe 32 PID 2740 wrote to memory of 1952 2740 Tiwi.exe 32 PID 2404 wrote to memory of 1368 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 33 PID 2404 wrote to memory of 1368 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 33 PID 2404 wrote to memory of 1368 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 33 PID 2404 wrote to memory of 1368 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 33 PID 2740 wrote to memory of 2396 2740 Tiwi.exe 34 PID 2740 wrote to memory of 2396 2740 Tiwi.exe 34 PID 2740 wrote to memory of 2396 2740 Tiwi.exe 34 PID 2740 wrote to memory of 2396 2740 Tiwi.exe 34 PID 2404 wrote to memory of 768 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 35 PID 2404 wrote to memory of 768 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 35 PID 2404 wrote to memory of 768 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 35 PID 2404 wrote to memory of 768 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 35 PID 2520 wrote to memory of 2156 2520 IExplorer.exe 36 PID 2520 wrote to memory of 2156 2520 IExplorer.exe 36 PID 2520 wrote to memory of 2156 2520 IExplorer.exe 36 PID 2520 wrote to memory of 2156 2520 IExplorer.exe 36 PID 2404 wrote to memory of 1312 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 37 PID 2404 wrote to memory of 1312 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 37 PID 2404 wrote to memory of 1312 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 37 PID 2404 wrote to memory of 1312 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 37 PID 2520 wrote to memory of 2312 2520 IExplorer.exe 38 PID 2520 wrote to memory of 2312 2520 IExplorer.exe 38 PID 2520 wrote to memory of 2312 2520 IExplorer.exe 38 PID 2520 wrote to memory of 2312 2520 IExplorer.exe 38 PID 2740 wrote to memory of 2228 2740 Tiwi.exe 39 PID 2740 wrote to memory of 2228 2740 Tiwi.exe 39 PID 2740 wrote to memory of 2228 2740 Tiwi.exe 39 PID 2740 wrote to memory of 2228 2740 Tiwi.exe 39 PID 2404 wrote to memory of 1980 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 40 PID 2404 wrote to memory of 1980 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 40 PID 2404 wrote to memory of 1980 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 40 PID 2404 wrote to memory of 1980 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 40 PID 2740 wrote to memory of 2668 2740 Tiwi.exe 41 PID 2740 wrote to memory of 2668 2740 Tiwi.exe 41 PID 2740 wrote to memory of 2668 2740 Tiwi.exe 41 PID 2740 wrote to memory of 2668 2740 Tiwi.exe 41 PID 2404 wrote to memory of 2176 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 42 PID 2404 wrote to memory of 2176 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 42 PID 2404 wrote to memory of 2176 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 42 PID 2404 wrote to memory of 2176 2404 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 42 PID 2520 wrote to memory of 1668 2520 IExplorer.exe 43 PID 2520 wrote to memory of 1668 2520 IExplorer.exe 43 PID 2520 wrote to memory of 1668 2520 IExplorer.exe 43 PID 2520 wrote to memory of 1668 2520 IExplorer.exe 43 PID 1312 wrote to memory of 1732 1312 winlogon.exe 44 PID 1312 wrote to memory of 1732 1312 winlogon.exe 44 PID 1312 wrote to memory of 1732 1312 winlogon.exe 44 PID 1312 wrote to memory of 1732 1312 winlogon.exe 44 PID 2520 wrote to memory of 3048 2520 IExplorer.exe 45 PID 2520 wrote to memory of 3048 2520 IExplorer.exe 45 PID 2520 wrote to memory of 3048 2520 IExplorer.exe 45 PID 2520 wrote to memory of 3048 2520 IExplorer.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1088
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1368
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1312 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:568
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1980 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2872
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:708
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:700
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2176 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5d2b09605bc0f0a9bd7e2679e5ca80f33
SHA10731aa29ff9289913941d19de5f9ea9cfb1d4901
SHA2566815469edb0ed5548dfe86c03093ea11b1447ced841f00db2fbeb5b55b39a3f6
SHA512ddbc4eea8d0fce63e5d7127a88355c06647d0225e66debde7a980e9c283e67463b591e445e5659c9d577adbde25c7a2af5ca8b15fdffb673057b17d82c91643a
-
Filesize
56KB
MD5bc7ea5c7e2f396c1657fffb7994255aa
SHA1d2c9b836e59c3e8ecbcba7f8c036c48c04eceba1
SHA256bdd597f815b80d817091750da96e32435b5f909e50e73d08276b09f9652008f2
SHA51202be12ef8c313a9a9eb95fb9a3a3556a718e9f828006184ee4e256215eea56b70e58e0eeadbe1e81d4adcce7bebb2efb449f98a727d34607e3475c48770bfd28
-
Filesize
56KB
MD5f040e3e4d4f81482dfbec84c848aa2d1
SHA1d0520bf48642cfd77d6fb7bbd3228f514dacc703
SHA25623227aea29be10f2139e287d44e9ea44146264010654ec6d30a8dcdef22f393d
SHA512a64757fc76672d504cedca9dd21009b28956dce83c6220db11cc800c77c84c985e882945483f8e65d1da2ed66e93fc1864c74f45a0fcaedc711690016e803178
-
Filesize
56KB
MD515bd0b5e1783570c99fe22aae51342ed
SHA1176c2442ee85e5ff97c32a5616c183bf969c3406
SHA2561656d9800a0cecaf3e02df72649e85f0085cc7a633b060a061f70b2b93964592
SHA5121b1fd89916422bf2e8dba866caa695dae0e079e80bc22bcc1be6ba1b4b09c3818d7a811621b2416405007d4c01ab7c50765da65bdb05a67179c6fb5a1f4d40a5
-
Filesize
56KB
MD5b10bf64ad9b13908783b5d545343f703
SHA100adb3183f8cd0bd62a0d017aa499403a606e1c7
SHA256fe8ae222ab1a409b28719577d512dd7530d207277ac10b7e854d64a4144afe64
SHA512b19350ec9ef3c59dc3ecc8edde535ac0fd1697fd693dec07b1a64816daecfbf554083076a86448b5aaefda6d3987c51e876386dcd9914df56cd706b75539e075
-
Filesize
45KB
MD5090877d9c1c842142912cfe633bdf2c8
SHA1158ff7652f9a1c9825458849aecfffa9934aa522
SHA256ba2fe8c0ce0768b09a264cc58395d1e8b6de41f7aaa07ac8f7743277b707b5a8
SHA512018374917ade2d5b36076d7ca2b56db95a5a20202d21a6fdbc234990be4ca82751ad966e79571528bdbceab50ca3a042601d6531821b5a0ae5c037cb40d6c23c
-
Filesize
45KB
MD53bbd6647f7d24e65f286b2b8177127a4
SHA1f7cf5614f0e0afc0011c27e6fade598efbed1c92
SHA256929e96344a5c046fd8ed1592f7f53f444d37402ff210f1996bf2775127f933ad
SHA512b0366cda2d22cbd7dfd32026737190b1014da45a22791d8ce6e9e66085c8762a825795a24b56bfd5a2122c795f11d57385300dac7c8588283c2486a84c6cbea7
-
Filesize
56KB
MD55cec5f0a046b514ad9ac38d271e4afdd
SHA196330f99273065b51af64a3d7feeace400a63231
SHA25689377e2d3639c985e3cf9a9e4ecc35790ee142780a5a5bcdbbcebd32ac5414fd
SHA5123dd8062fc5a08013651adeb53ff4ba13a774e04dd2a99b42a6733e61d785384c04063501b40153e9036b600612bcd0938d493027e897a9d389b151c60c113ef4
-
Filesize
56KB
MD58304c36369390a06ae099f9c4cf2639f
SHA1d9226db34cb6b43843c153a544e2690f61886d9c
SHA25617676b4ef64b2f7e7c686c5a11ada95144499b821ee32a9e41c5c2e94f920cf6
SHA51263afd86e2949d786db4d450522882ec61cce97af035e8d0a350548a79c191df55c9e24ddb05d19e99f2a376ecdff9c4bf83c309b02f2b3b742aa2eda31a03455
-
Filesize
56KB
MD5326d243250dfc5fe63da5b78b70bc716
SHA1666096dafb6dd12de38fcb190dfd0fadf29d819b
SHA2569bd43994ca6f32dbc75e68c73085eb0b7d9fdfe28c593085a93aa9717a26d37b
SHA512aa3d6eb5873fe9f9277d5d944c66525dfd28d0685c124f4e2601182f3f060d9b8f9821a5fe49332c304a1c60d45a5be05e4043def08da9dec65c9e1be151258f
-
Filesize
56KB
MD525ca7db8d6fa75423e56ce931e022e67
SHA14a8bd5b89c646d9cc423279b7c735b7a49509658
SHA256aa8bbdb780c316e493ca67c3b0967cb3f8411498d5a8d267889be95b07f9aed9
SHA512db4e85154c6491a086e712adbecfe5bcb387295bc7c5143fc7686b73708490f2190874f4139f3eb6fd5e492fe8f796af207465171ae143f37a152c466792a609
-
Filesize
56KB
MD53557620cd6ab2144210fae3ed0cd1827
SHA17db125c897d51760ba75918cbdf119f48112fadb
SHA2566c1e1ad772f5f0f56130da6ce0a68950e0cd8d99e7a6755eb645f0bab7b7be53
SHA5125c22f38730cd5f90dd9702ecc7dbe8222efae7d6691e0c5267131a86124590ee3a8446cf199fba116f51b3eb5e5aed236bec3952d9b1494b9a47dd50bf16093d
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
56KB
MD50060e3f52f38813ab4b1145f1c2e61ab
SHA1912934d3dd6192fb586c09ad840cf1f5faf852f8
SHA256b4af52539447a9d170e50db13c2085b56fb9513ef9b42d491589b32edca5ba56
SHA5122b0f43a37f5e6c2f686955c9ce8c85747c55815f8f6d63f05c7de14a543183ee650a0bd4a5d8e78b7c25fa720b5b5d947cb81e9a09adf05817d3e41b4ad3a36d
-
Filesize
56KB
MD5ab15918c976b1884d52c2500db049fd2
SHA1d3d648d224ab8930006175169e36e5282ce3e800
SHA256fa477bf6fdec992251a9f1291a79fb06a189c9ddbad5ee45f16f2d9817de05b0
SHA512c6b5f75ff439d6ffd4e16672b4931061a70835673cea057e90bd96377d84aa0d49ecb0c2c09423b27a1734e3e2bd5156b3de54bb4c9da1fc001971743a354e20
-
Filesize
56KB
MD5b0be3102b32edd9264701e3d79b815c7
SHA108b6c5c0256fd6475980744d5955a59a739eb87d
SHA256b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
SHA51258807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d
-
Filesize
56KB
MD5351afc7bee404b7bf0d58833b530be22
SHA19d2e10703c43163d799d07f9b171a1858ab16f65
SHA25678725526ece54f68df207cb7b688475f658f2eeeb200ebf075814ca3bedf3a3f
SHA51296915ed107f75fa49dae0c8b72047ef11782994f3bc8234b90927afc334c696c5afcce644fefdca6b23551894c60f49d466ae7ed2bbad26ad6157ed3d27dddee
-
Filesize
56KB
MD5e4f6ed8488bf167c7def663e7fde1fc9
SHA154d698a655435112c947281681151d2a62282ed9
SHA2560e08a351f1149f99c82ebfa701753477f258e32e9a64fa34d087d9412e296b14
SHA512adae634ffa0b6277dba9db863a5ee3980eaeeb9ced709e4a939bfa3636f22121e5d9965024bc2d9b6c1b624d1cfad4b81733830b52ad2fc1b34e9323191b8c3c
-
Filesize
56KB
MD5f75f0b6ed664e341fc47430a01152a11
SHA1cc0c1329df5ee77ff9bde5105022694d3d0e39a8
SHA25606691ef65e8535139a8ea60ed9399b4a5a91bf740a4980245cdcca0272218695
SHA512af4e8d6f209c92550de253c553b6b0788274fe14a6d1af83a7eff0496279b1827f3ad43d0bf933f8d5db6ad1da0fac274e308ed0fa89fb9cc45eac9745b66a72
-
Filesize
56KB
MD5a32bd001152a4efa75d759f30e3c5681
SHA17734b32963b987ed66d5352808da6be9bda6fd50
SHA25692c85d9372a8f6cf5fd2c1175322ee88e30f8b191d869240ae4f60e348db1e97
SHA51219f5f49a659c703c7eae5f9a3ea9f2385264c939f56ad87f9785e4fb9e9ba5b5bc38472126e6bc805d3424c0b1d168adf9f8cdcb6bb27e29043ff283fb89b5a6
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
56KB
MD5b56414214748f9d28ca538109637e6e1
SHA17df00d8199266c429f7e2ebe0036857fac36841e
SHA25665a0ada34732488a094a574a877f3ed02df9ef3a0694ebb0fd432cec420e27fe
SHA512d7383ffedd8be0e13d9dc5bc2a1fd821fa963f67ffca174576a5b2da305dc204171ec36b05aefcae5aa74fb168a8d95f3366538d8047a46c5c8a186f9dc5d59f
-
Filesize
56KB
MD5ca87226c8c2120428eb8890cd9b2fa8c
SHA119bd86a1317d8bf5c6f047ccc82b3b43db15b545
SHA256c8caf94bbcf1e35c45b40d5e485f9ca74df5121a3f1a4a4a81448ff5ee67ecb7
SHA512cb0774779a5c2f5a957ec8b3a374e0d22523f56776b38b94f14a952d35758c4a8cac6fa78a1eecd0b2c1581f25589e479dd8b41f82f88e68cf2308e890273805
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
56KB
MD5ce759bd98c56b64463ede3bf3f33df57
SHA1e9cb6bf61369a77926cbfea9853709c4201ffdff
SHA25668155b74d131d5992e55c1774cd73761463acc60ca97abf33bba429a90ac64a6
SHA512dc6b6af1d643e88f53ee79b6a6ad958f04976553e3c9184a4c7b232521972d006c6f63241df5c8933ac21dbe1504cc9c22d54b459c88b155311bc380c0611641