Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
Resource
win10v2004-20241007-en
General
-
Target
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe
-
Size
56KB
-
MD5
b0be3102b32edd9264701e3d79b815c7
-
SHA1
08b6c5c0256fd6475980744d5955a59a739eb87d
-
SHA256
b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
-
SHA512
58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d
-
SSDEEP
768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekf:V8w2VS9Eovn8KRgWmhZpX1Qyw
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2420 Tiwi.exe 4048 IExplorer.exe 3240 Tiwi.exe 4244 Tiwi.exe 832 IExplorer.exe 4732 IExplorer.exe 688 winlogon.exe 2056 winlogon.exe 3300 Tiwi.exe 2356 imoet.exe 3676 imoet.exe 1560 IExplorer.exe 1060 cute.exe 2684 winlogon.exe 4436 cute.exe 5036 imoet.exe 1172 cute.exe 1084 winlogon.exe 3992 Tiwi.exe 3188 Tiwi.exe 2440 Tiwi.exe 1616 IExplorer.exe 3580 IExplorer.exe 4040 IExplorer.exe 2188 winlogon.exe 1976 imoet.exe 2512 winlogon.exe 3972 winlogon.exe 1556 imoet.exe 4324 cute.exe 1728 imoet.exe 3408 imoet.exe 4284 cute.exe 2612 cute.exe 1376 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 3240 Tiwi.exe 4244 Tiwi.exe 3300 Tiwi.exe 3992 Tiwi.exe 2440 Tiwi.exe 3188 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\K: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\X: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\T: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\W: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\H: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\Q: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\G: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\U: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\N: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\M: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\L: b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\Y: Tiwi.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification F:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created C:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\autorun.inf b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\SysWOW64\shell.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2420 Tiwi.exe 2356 imoet.exe 688 winlogon.exe 4048 IExplorer.exe 1060 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 2420 Tiwi.exe 4048 IExplorer.exe 3240 Tiwi.exe 4244 Tiwi.exe 832 IExplorer.exe 4732 IExplorer.exe 688 winlogon.exe 2056 winlogon.exe 3300 Tiwi.exe 2356 imoet.exe 3676 imoet.exe 1560 IExplorer.exe 1060 cute.exe 2684 winlogon.exe 4436 cute.exe 5036 imoet.exe 1084 winlogon.exe 1172 cute.exe 3992 Tiwi.exe 2440 Tiwi.exe 3188 Tiwi.exe 1616 IExplorer.exe 3580 IExplorer.exe 4040 IExplorer.exe 2188 winlogon.exe 1976 imoet.exe 3972 winlogon.exe 2512 winlogon.exe 1556 imoet.exe 4324 cute.exe 1728 imoet.exe 3408 imoet.exe 2612 cute.exe 4284 cute.exe 1376 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2420 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 85 PID 2424 wrote to memory of 2420 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 85 PID 2424 wrote to memory of 2420 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 85 PID 2424 wrote to memory of 4048 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 87 PID 2424 wrote to memory of 4048 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 87 PID 2424 wrote to memory of 4048 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 87 PID 2424 wrote to memory of 3240 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 88 PID 2424 wrote to memory of 3240 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 88 PID 2424 wrote to memory of 3240 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 88 PID 2420 wrote to memory of 4244 2420 Tiwi.exe 89 PID 2420 wrote to memory of 4244 2420 Tiwi.exe 89 PID 2420 wrote to memory of 4244 2420 Tiwi.exe 89 PID 2424 wrote to memory of 832 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 90 PID 2424 wrote to memory of 832 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 90 PID 2424 wrote to memory of 832 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 90 PID 2420 wrote to memory of 4732 2420 Tiwi.exe 91 PID 2420 wrote to memory of 4732 2420 Tiwi.exe 91 PID 2420 wrote to memory of 4732 2420 Tiwi.exe 91 PID 2424 wrote to memory of 688 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 92 PID 2424 wrote to memory of 688 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 92 PID 2424 wrote to memory of 688 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 92 PID 2420 wrote to memory of 2056 2420 Tiwi.exe 93 PID 2420 wrote to memory of 2056 2420 Tiwi.exe 93 PID 2420 wrote to memory of 2056 2420 Tiwi.exe 93 PID 4048 wrote to memory of 3300 4048 IExplorer.exe 94 PID 4048 wrote to memory of 3300 4048 IExplorer.exe 94 PID 4048 wrote to memory of 3300 4048 IExplorer.exe 94 PID 2424 wrote to memory of 2356 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 95 PID 2424 wrote to memory of 2356 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 95 PID 2424 wrote to memory of 2356 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 95 PID 2420 wrote to memory of 3676 2420 Tiwi.exe 96 PID 2420 wrote to memory of 3676 2420 Tiwi.exe 96 PID 2420 wrote to memory of 3676 2420 Tiwi.exe 96 PID 4048 wrote to memory of 1560 4048 IExplorer.exe 99 PID 4048 wrote to memory of 1560 4048 IExplorer.exe 99 PID 4048 wrote to memory of 1560 4048 IExplorer.exe 99 PID 2420 wrote to memory of 1060 2420 Tiwi.exe 100 PID 2420 wrote to memory of 1060 2420 Tiwi.exe 100 PID 2420 wrote to memory of 1060 2420 Tiwi.exe 100 PID 4048 wrote to memory of 2684 4048 IExplorer.exe 101 PID 4048 wrote to memory of 2684 4048 IExplorer.exe 101 PID 4048 wrote to memory of 2684 4048 IExplorer.exe 101 PID 2424 wrote to memory of 4436 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 102 PID 2424 wrote to memory of 4436 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 102 PID 2424 wrote to memory of 4436 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 102 PID 4048 wrote to memory of 5036 4048 IExplorer.exe 103 PID 4048 wrote to memory of 5036 4048 IExplorer.exe 103 PID 4048 wrote to memory of 5036 4048 IExplorer.exe 103 PID 4048 wrote to memory of 1172 4048 IExplorer.exe 104 PID 4048 wrote to memory of 1172 4048 IExplorer.exe 104 PID 4048 wrote to memory of 1172 4048 IExplorer.exe 104 PID 2424 wrote to memory of 1084 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 105 PID 2424 wrote to memory of 1084 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 105 PID 2424 wrote to memory of 1084 2424 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe 105 PID 688 wrote to memory of 3992 688 winlogon.exe 106 PID 688 wrote to memory of 3992 688 winlogon.exe 106 PID 688 wrote to memory of 3992 688 winlogon.exe 106 PID 1060 wrote to memory of 3188 1060 cute.exe 107 PID 1060 wrote to memory of 3188 1060 cute.exe 107 PID 1060 wrote to memory of 3188 1060 cute.exe 107 PID 2356 wrote to memory of 2440 2356 imoet.exe 109 PID 2356 wrote to memory of 2440 2356 imoet.exe 109 PID 2356 wrote to memory of 2440 2356 imoet.exe 109 PID 688 wrote to memory of 1616 688 winlogon.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4244
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1060 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3188
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4048 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:688 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3992
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD51b58247907706a6036549bd2ed5ad049
SHA1e1873e9d8f6161e424d137c5f4063a3a8a56f4c2
SHA2566f66315d3501ab0b60c300f0d39d08965f2787bba64e053a8be695abd982f87e
SHA512c65b86c2b690830d2d91e4690ea4e02983ead1f5b7eb1b02ad4cb70325e5cd8e4296b8445feab4571c71033c1c398bd8c12bb32fe0ee0a2d5ea4da1415c138a9
-
Filesize
45KB
MD5d99cc5763f63569617ea1c5a292e35e5
SHA198fe017a3c5db78cdbe8bc9128240ed08af45ad2
SHA256236c2875ea3828c1536117212a8474bd3649d54907cb4e55e3c485da1a6fe990
SHA512aee29add9ecc6370c26dddb893ab59b24f0628db9d8605dbbb92e64937640621de6c90e562beb6c357724dfb5e8706ac8da298a7ac8db9099a3432a36d01541e
-
Filesize
56KB
MD50990c384d04399819af22651864d126c
SHA18df2bbc2c51252e616e996795efa329d965f8b81
SHA25679224bd18da006981f12ca1941ab752e93656a348a16096b8b5809f3298d3a99
SHA5125d05872d3781fcb9868181722a24b25b29cd3819ceba16ffe45dc6b53650148c6436db748073b24ccc4e01af88f4724713f28365e44a23cc2d6cfcd0228a6fa7
-
Filesize
56KB
MD5ddb0e5ac8ac01deaa8fd87ac8230ec93
SHA1850310df5d7b6f0a00ce1aebc3d69315f433db92
SHA25635a0bdb8ba21d8333f943d96a6645950b8ab95d38309359ee2e888c27a973190
SHA5125fb1814e691dd8fe68e48b0caa13436bd797432a34313a4bcb8815074ab3d170f223b4f543162cde25134c086cc5d2c24a969ae730254bbb8e53b24ff1fe84e2
-
Filesize
56KB
MD5f11208c59165a15170480d46b7f60723
SHA1dff6dfb6f495a27ba8ed51a8e58f9c0e9f0d095d
SHA25679036533e9bbd2af2b6c929fba1b17bbd0efc93c646f6eef6c5aaabf64c679d5
SHA5127f4efcfda3756ea757a5d422c94a7721ba2fcfa11598ead60fff3075d56c72ba95f44361876a810a45efdc6c6399c79b66d6d89a8705a5628eb77ee6adb82185
-
Filesize
56KB
MD58c0b47e262293a18c06dfc00da233283
SHA17969d6216878d6e5f1595baec518fb207000f7eb
SHA256c34e4c85463834526a83d05b3195b4696ee2940a37a458919ab91898b3e1463c
SHA51292797ad8d1954531d9a549c9f832d56ad035caa744f33c097887b05e51287810356ca960392f32b34416af9d81b5452935d1d7961cf8e645725f9ab4fb2fec3c
-
Filesize
56KB
MD529dbb307e51cc263748a81f4e2451489
SHA16e1b5b47c06046e6f7dafdfb2e61b74d3c71e5d1
SHA256a24e2e991df84f7d675ad576c304ac08ebe5a1866938412f1579af4aec9a85ec
SHA51208e0f5e7f2d177ed2ac25eacd40d1d6b0872b60e2a602d611e6f5c4385b0cf41156d3c9288e2850e6ee9f6a6ec1074c48e690ad9bd65c8cb23d6dc37b4fb289d
-
Filesize
45KB
MD5600e1203b8dd0ed57316f877583ea6e7
SHA1a9669fcd8cf0994d6197c0724323ee59046afb4c
SHA2561d89685f3297266704214190bb672ad3579d404c786cc50fc57ba4ba9bc7524f
SHA512840bd4ae405be033685b248275e2804aaa7cae76ebe9d72bea03bd291e78f9083c6060e037a3983b4567387129dc43a98c3cdbe95203e021f736b0bf9231a2d0
-
Filesize
45KB
MD53ebd5f4f595c5b702cccf79972cc5add
SHA14498f9ecb52157252504cd3d4847ebd5cbe65a6e
SHA25605c42a53f844e9c040c2a3578d5591eacc88556af4fa577ac56bd557f947f2af
SHA5121e78ed8ba179bdf5edd8d1b8872c20352afdb282395d1750dbd5d7ecfda1a37ac40002e48b69030eef6050ad9f57a515b6f5ec7da185f254622813d1fde86b37
-
Filesize
56KB
MD53cff5d83ffab0c1cc287716c8f1eae58
SHA1a1cbe21e67775c376c2f4306dc8938aafab735e8
SHA2562260d1aa28444d03c2055b5a158ccd5b678e631929ec520c0d547551b727163c
SHA5124a22880b07c66674d52ea2c2cc1e77395f0143a28bebe37d76604fce8eeeb435b98bffa383bad646cc3cc6ce4e6010c7ca61417cf7fa64d5acf6575f8fe4a6a9
-
Filesize
56KB
MD5152f9c3985070e16de3bf864f648e358
SHA19f6f2749a9979de8d4975f61f82341e28a5d7692
SHA256e4b0ed86c72a3e0cb32716c9a90ddd8b370c12722fcaac41c9eec171613d82fe
SHA5121b1a02e66be2ed918790e72c95e958339958b67b20308c0503f30dd5198359ce20cc4a3947c748ac584e08fb0b631c650e90c5cb5cae701d6e888fc97da37671
-
Filesize
56KB
MD5db24234e2b2452487414f42f9a598b2a
SHA15893cd9b681a4c1c048e6b4c6a8c2c040147defe
SHA256e1c0c3dd4b982527f56e2cba4300dd93b71e6312f7014f023df2721e4fb1661d
SHA5125038d55e7c30fefa4cfd6e3cddee5ea61001d803467630ce8e9ebf7371715b0d234d0df88f6d615cb636ddb6b61ac5d850c8b84d2c032a739103c5f8b8a70af1
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
56KB
MD5027f07517d0285d4b81c371888cc9756
SHA1ad4565b7e461c8dfb08fd6f125727fc1066301e3
SHA256bd18659994f8867ce14ade8dd51614856c1cf99a1c8f7076d23f3e5616d49442
SHA512ac5aa6c4b297ad93af110380b33565612d56cec5537908a365ede49b841999fc43ca855432eec0e0ad4ba6f232d40ac9fb25a1c8b3b025e63ad74d43b7ce8558
-
Filesize
56KB
MD58638a33cbafabf9d668f435709ab8f4a
SHA15d7806dc40c76b30428437baae89351ba3d79f19
SHA256b560a16427a23ed535c3221d4bcc27c33a0a06cb90fa62ae1dc346dfe0315428
SHA512d5e4e2bad27d53b1c7b7161c4e62358a5c1961fba465234d76b276051fd5d765db3ecca77a334fb78c1c026d335c6aa7b9f566858c0733a3fdcef626244a5d99
-
Filesize
56KB
MD5b0be3102b32edd9264701e3d79b815c7
SHA108b6c5c0256fd6475980744d5955a59a739eb87d
SHA256b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
SHA51258807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d
-
Filesize
56KB
MD5bb9211d60a55ce4a21130baa20ac110d
SHA10aabeefe7bbd668fae2e6cf92268809831ba91f0
SHA2567464ebf6dd75fc7d826490908cd7676740cf61d3b19246d99aa25d35c6c3576e
SHA512b4ea21627323a6c95432211081b928a97a56ee23efac479a23b76b7c120f2d8900aef4a71773f98095eaf5206d20296f78ccaef1e7cae122584602829beca149
-
Filesize
56KB
MD548e123848fa5d91b382d49bcc202c105
SHA1b064095b5b6e7e8b7f366978f22394fa88a9e445
SHA256b00e51150c595f041b9cf992a974542f14d14e217856055551ad6204612744df
SHA51229d453e839a4fdceacbab4d96db6e26a2e8273b5ba57d239c15aad76c7c89df088a0b6b7879880666bfec5179a08b399defd0c67142de5aaaa3cedaef705e7a6
-
Filesize
56KB
MD59e04bfb20749015ea9449f34ad60ff7e
SHA1b45b665450337387c6cb55f985564cadeacb77e5
SHA256c4f4d70a24d04540facbab7bc13c2f58f48066f31df2007be81584a31afa2f3a
SHA5129df2ca2dd381f3c798671e9740d782606c5f73180c36f9c828a91dccedaa2a7a7ad950095569a72508917fba25f6656f52dbecd7bb61e2f059626bf3208318e9
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
56KB
MD5e69508e2c5823491be42811dce2ac4e4
SHA13a6a80201b50a45f0f98f10bd92923a24b01c099
SHA256de0abd5bf56925987d3fa75860b6f4e2ba3f7d19993b29c2ab69a31d29cedfac
SHA51255cb335bc7ec205541a5bd333e5d161ce2d69d9203a1e45b70a990ba4c4456adb6ead26e02921e4ca6e2d53a33a83d5a0989ecfdd88f4141ece4a59b61019ab3
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62