Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Resource
win10v2004-20241007-en
General
-
Target
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
-
Size
384KB
-
MD5
b4f8597636f01b29ead992b7beda4b56
-
SHA1
baf39a69fe0e0fb907251caad32678e1d406f500
-
SHA256
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c
-
SHA512
05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390
-
SSDEEP
6144:V/OZpls/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZk:V/Ms/MP/Mx/M7/Mx/M4/MpBE/z
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2648 Tiwi.exe 2916 IExplorer.exe 1968 Tiwi.exe 2476 IExplorer.exe 2616 Tiwi.exe 1344 winlogon.exe 1592 IExplorer.exe 1032 imoet.exe 2216 Tiwi.exe 2040 IExplorer.exe 756 cute.exe 2368 Tiwi.exe 1576 winlogon.exe 2516 winlogon.exe 1752 imoet.exe 1228 IExplorer.exe 2832 Tiwi.exe 2316 imoet.exe 2672 cute.exe 2768 winlogon.exe 2904 winlogon.exe 2088 Tiwi.exe 3040 cute.exe 2172 IExplorer.exe 1496 IExplorer.exe 3024 imoet.exe 2968 imoet.exe 2980 winlogon.exe 2972 winlogon.exe 3004 cute.exe 2624 imoet.exe 3060 cute.exe 2700 cute.exe 2956 imoet.exe 1968 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2648 Tiwi.exe 2648 Tiwi.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2916 IExplorer.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2916 IExplorer.exe 2648 Tiwi.exe 2648 Tiwi.exe 2916 IExplorer.exe 2916 IExplorer.exe 2648 Tiwi.exe 2648 Tiwi.exe 1344 winlogon.exe 1344 winlogon.exe 2916 IExplorer.exe 2916 IExplorer.exe 1344 winlogon.exe 2648 Tiwi.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2648 Tiwi.exe 1032 imoet.exe 1032 imoet.exe 2916 IExplorer.exe 2916 IExplorer.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 756 cute.exe 756 cute.exe 1344 winlogon.exe 1344 winlogon.exe 756 cute.exe 756 cute.exe 1032 imoet.exe 1344 winlogon.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 1032 imoet.exe 1344 winlogon.exe 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 756 cute.exe 756 cute.exe 1032 imoet.exe 756 cute.exe 1032 imoet.exe 1032 imoet.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\P: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\H: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\S: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\O: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\U: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\J: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\W: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\G: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\M: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\Y: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\Q: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\L: cute.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification F:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\tiwi.scr 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ cute.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2648 Tiwi.exe 1032 imoet.exe 1344 winlogon.exe 2916 IExplorer.exe 756 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2648 Tiwi.exe 2916 IExplorer.exe 1968 Tiwi.exe 2476 IExplorer.exe 2616 Tiwi.exe 1344 winlogon.exe 1032 imoet.exe 2216 Tiwi.exe 1592 IExplorer.exe 2040 IExplorer.exe 1576 winlogon.exe 2368 Tiwi.exe 756 cute.exe 2516 winlogon.exe 1228 IExplorer.exe 1752 imoet.exe 2316 imoet.exe 2832 Tiwi.exe 2672 cute.exe 2904 winlogon.exe 2768 winlogon.exe 2088 Tiwi.exe 3040 cute.exe 1496 IExplorer.exe 3024 imoet.exe 2172 IExplorer.exe 2968 imoet.exe 2980 winlogon.exe 2972 winlogon.exe 2624 imoet.exe 3004 cute.exe 3060 cute.exe 2700 cute.exe 2956 imoet.exe 1968 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 576 wrote to memory of 2648 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 576 wrote to memory of 2648 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 576 wrote to memory of 2648 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 576 wrote to memory of 2648 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 576 wrote to memory of 2916 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 576 wrote to memory of 2916 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 576 wrote to memory of 2916 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 576 wrote to memory of 2916 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 576 wrote to memory of 1968 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 576 wrote to memory of 1968 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 576 wrote to memory of 1968 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 576 wrote to memory of 1968 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 576 wrote to memory of 2476 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 34 PID 576 wrote to memory of 2476 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 34 PID 576 wrote to memory of 2476 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 34 PID 576 wrote to memory of 2476 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 34 PID 2648 wrote to memory of 2616 2648 Tiwi.exe 35 PID 2648 wrote to memory of 2616 2648 Tiwi.exe 35 PID 2648 wrote to memory of 2616 2648 Tiwi.exe 35 PID 2648 wrote to memory of 2616 2648 Tiwi.exe 35 PID 576 wrote to memory of 1344 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 36 PID 576 wrote to memory of 1344 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 36 PID 576 wrote to memory of 1344 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 36 PID 576 wrote to memory of 1344 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 36 PID 2648 wrote to memory of 1592 2648 Tiwi.exe 37 PID 2648 wrote to memory of 1592 2648 Tiwi.exe 37 PID 2648 wrote to memory of 1592 2648 Tiwi.exe 37 PID 2648 wrote to memory of 1592 2648 Tiwi.exe 37 PID 576 wrote to memory of 1032 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 576 wrote to memory of 1032 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 576 wrote to memory of 1032 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 576 wrote to memory of 1032 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 2916 wrote to memory of 2216 2916 IExplorer.exe 39 PID 2916 wrote to memory of 2216 2916 IExplorer.exe 39 PID 2916 wrote to memory of 2216 2916 IExplorer.exe 39 PID 2916 wrote to memory of 2216 2916 IExplorer.exe 39 PID 576 wrote to memory of 756 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 576 wrote to memory of 756 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 576 wrote to memory of 756 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 576 wrote to memory of 756 576 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 2916 wrote to memory of 2040 2916 IExplorer.exe 40 PID 2916 wrote to memory of 2040 2916 IExplorer.exe 40 PID 2916 wrote to memory of 2040 2916 IExplorer.exe 40 PID 2916 wrote to memory of 2040 2916 IExplorer.exe 40 PID 1344 wrote to memory of 2368 1344 winlogon.exe 42 PID 1344 wrote to memory of 2368 1344 winlogon.exe 42 PID 1344 wrote to memory of 2368 1344 winlogon.exe 42 PID 1344 wrote to memory of 2368 1344 winlogon.exe 42 PID 2648 wrote to memory of 1576 2648 Tiwi.exe 43 PID 2648 wrote to memory of 1576 2648 Tiwi.exe 43 PID 2648 wrote to memory of 1576 2648 Tiwi.exe 43 PID 2648 wrote to memory of 1576 2648 Tiwi.exe 43 PID 2916 wrote to memory of 2516 2916 IExplorer.exe 44 PID 2916 wrote to memory of 2516 2916 IExplorer.exe 44 PID 2916 wrote to memory of 2516 2916 IExplorer.exe 44 PID 2916 wrote to memory of 2516 2916 IExplorer.exe 44 PID 2648 wrote to memory of 1752 2648 Tiwi.exe 45 PID 2648 wrote to memory of 1752 2648 Tiwi.exe 45 PID 2648 wrote to memory of 1752 2648 Tiwi.exe 45 PID 2648 wrote to memory of 1752 2648 Tiwi.exe 45 PID 1344 wrote to memory of 1228 1344 winlogon.exe 46 PID 1344 wrote to memory of 1228 1344 winlogon.exe 46 PID 1344 wrote to memory of 1228 1344 winlogon.exe 46 PID 1344 wrote to memory of 1228 1344 winlogon.exe 46 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:576 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1576
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1344 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2968
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1032 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:756 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5196e7a85854760e012407f6ef6e7eb12
SHA1d4a500a3fe26a11133841e4138f179111f219bf0
SHA2568c28a9bac4706f61107a1817fd099f091970a6d654073b50ce2cf4d1a9b79d71
SHA51288fc4f6159b3dd88311f72e813b9c0df86368231711d0e71eb32814b8943d9690a423703de6bf6c55889b7ba8cee63a2ae5c243f05dbbc1afb685b3b28d3240b
-
Filesize
45KB
MD5b10aefaf178baa5fbb3449aba471ab4f
SHA1230d9fe6373dace7445569a5535657c6facac4d4
SHA25674ef58151e574ff11fa654c78a21aa48fb4d7380fb35d03502b86c6df582f7d8
SHA512db3532aee9a6714658387ad25346e81a5a6f3d7946ef21a731e12526b59373a290a2381e188b9714ce7e041305911c9b2f8e1221038ab76b84e73a187a9fad9d
-
Filesize
384KB
MD582e7b29ce24a08fd104522c3ee15b503
SHA1da26f8347900b6922bc077d02d8e0fd6781a2885
SHA2560a4ec4c326e0a3f41175d132c9c93a7071624442e2fac91f391a16f6fc044595
SHA51241c908ee2b9a7a326efd54a6dc703ca328bf070bec5c14be9cf230e04e5abbc5de4f902f875444c67e1cafb6254066f8d8c7999ef5a67408f774cc263305b8ff
-
Filesize
384KB
MD52d982bf6fa76e3b6994c23e1162d7fc1
SHA1df56a54a17cf74b86b45df2acbe91feebba3e86a
SHA2561ff87af1fd6b386db1597154abc34066d8371ea3423d38a31ed5b77fc3920d3d
SHA512bf2c7659f351d213c2a9d67553a294f7e63bf4b8d35c526d3c0e206a3bbd5e2f92a650b0415904e37ddd120d340fe8b102ef68ecd7cd0f31b4c1d8aea312050c
-
Filesize
45KB
MD5a5d6820efdaa598fd9f4571febe48392
SHA159112d000bab37eaba512422b132635d7d2a48ad
SHA256ef37ac4c59e7c640abd1c043a698abfba3ecf09008536ec90065224d39c90ddd
SHA5129605a98a0cbab6affc0befa94bbb83acd4c20250c97b437295ba35d46f358da18c1c98fcdd7dc7c4405b6bf973ad6695ea33d15992e847e83762ec5fcb461296
-
Filesize
45KB
MD5b32f0a88d69bb1847a6ae115b484844b
SHA13bf1f54228802a95160843119d97d132171cd152
SHA25658789ea6af34c79408817a694aeba65e560eddce0a36407c715ec2cdec1a9a0d
SHA512223a2595b29abe87b4254d9dce9993cfb4acd6a5101568e9ab29b184b8799bc561e42ea4e32e7d59ed8d7513839be07e67494bb1cc3b13e80285cc34172dcd83
-
Filesize
45KB
MD5ba8d5bd7d2c7c43115f754e9f495dd69
SHA1b315a0543fb585fb99998d7f607e1645dcdf8b26
SHA256dfef9c1315ade0218164cfda92b64fc2980568ba753aa17ae0e34ed43f635a66
SHA51243340730f8b56bf6ddcc5b3c07cc1cf596ef70c6087191ff39b737b99c3810e536ff2b6baab8ad466b840d2a3825b336dfa1e527099e3e750f1ecc018dbf65ce
-
Filesize
384KB
MD556b8f1d39e1a5208abde3fb3cf1843ae
SHA16b02d9cafdb32adfd4aebdbe8af510da55d4ce3e
SHA256e3944172f375ddce1d4aa9538ea6a0beeec57621ae479a1a2f544b47847708a8
SHA512b2ea42649dfe711479f9a2e67c9677c51c05908078f76258f86e9be4efedeff18f87889cd5096c71f67f466103cdcd7c31ea8cf54721d1398b7451b9ee857b0f
-
Filesize
384KB
MD5929d2655084f6769dc7a0e0a08d3f0b6
SHA1a828b09f6787491aab163d46c482062d1d19fe72
SHA256c01844f62020302d70e4504e5f4e94cc5b617b1b2bcc49e81c7363fc072a08a2
SHA51261737b54d734f28af2440e46650a9827df71f6c6f878ca86f44b51b795390860d93c1db73cac9435a34b490c0a67ce0805d0682153228acaf6738d3ed5df0732
-
Filesize
384KB
MD5cf4b9d8955d7d36703b079ce311684e8
SHA1bea00acab13f50972ad1345283d89463447a87f7
SHA25642070b3d2fcd4589ff1dfb017c1284297a2dfde6bfda8a9555cf54841a9c3fd7
SHA512f861fa1dfa665acd640766d2cece3b0cc3fa4a6b524020ebf111993c28171984a8d882e8f01fdc16fcd475681fa7041848b99afec46758a2a5fb9e172e3c6edd
-
Filesize
384KB
MD524705a25f88b59f73ddda683cbe7e66b
SHA1eb525aede618e37e605bf7c9e7cb20c9174a85a5
SHA256dbd6aee70c604fa3f057ec806c4415b5b7a4930bf0f5e017b755aa7b713a0329
SHA5122ff3002d601d03e8768c8b33154b015d3f582f7d04857c1b64f16a1a682ebbdfb12585013ab72162af6411f7b25f44f9786249b60862154181e0284dd715884d
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
384KB
MD539f7e73e81276d617d0ac8e2cd85b2f1
SHA1e9976098ecb8416833b84668d92dfb2cb2d52b00
SHA256113b738938962542511c5bd12113c78c967efd9b2349e8e5f71b7b646e625325
SHA512dd5e1424b5ce3cbc9b0dce56b96e788ed01a91854586b844dcc3daff20082931244bf9012644eebe76e740f6b4d36d96fbf1ac3a42bdfc2262bc48050bef7855
-
Filesize
384KB
MD59f985d7e37d6889f286547e9a11bf9f8
SHA14a216ba74584b2c3ea2e66537635e5dc96c3b7d0
SHA256bf1fc1540d1fb2c75175ef22abd73bf8a16932130f6cbf46147faac2020ed625
SHA5125d35febaab8f136b9458ffe0e6a69cfa6fca6f6b6b1c3caf9cb2043231a71b388068ded8ecca69fb42c012f88c13893e2dff37911748ec4ae85580b5e262a5a6
-
Filesize
384KB
MD5f015d26c241680f668134d6350e01ea0
SHA18d71f842796b55ec5084901ac6dc66577ebe156c
SHA256cef324c658e379a844155fde5f153db20fb33292a26e7b6a84a60750b357754f
SHA5129af6736b3110174d0393059942d5c84780197a02c978c0ddbb518b88f75138023d21bd21ad580efd8a394bc636687ffef415ed0c07f47cf9679db45dd1d98a10
-
Filesize
384KB
MD5b4f8597636f01b29ead992b7beda4b56
SHA1baf39a69fe0e0fb907251caad32678e1d406f500
SHA25613b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c
SHA51205dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390
-
Filesize
384KB
MD5d3efc28a1eed67a98da0f1fe683d5885
SHA1020a80d6ba591cfc612165bd2356269ada9dea87
SHA256d640e2c4362855ae2030e8374fabb83c26a88b3bf93e193eff4315231edd3a01
SHA512bef10a86e48414d6b5144f6939e7589404d4236f7c1971b367e62e4c2b34e306ed4d100111c2c86c16daffc9ad2665cf3f81f648ccc92ae619742185c221e457
-
Filesize
384KB
MD5f22ae70cac4604b995fb30320933235d
SHA148a50b4ee5b77c320ec73eb4eddad6ec7b858f89
SHA256dc53b11b300b02749f2c0823086336722631da906d20b7f3f7eca224fe82d44d
SHA5127e92e92f94c97e76264512ff58396528ad59f402f0c1ab6517b640074f2f1bb30b5dff2c85b6d6449ff893aa9b1063dbef3b958cf318f5b684c2c627fd8db22a
-
Filesize
384KB
MD5f597168456d10139d4eb5c42f9d7c98e
SHA199d4075d1f3b5b27519bc55d3e5738d8d39e40be
SHA256ab18c999ee475bb516c5faba6363f05558c403dd47ef661611036614e7fed180
SHA5120246eaebcd7682a14b8aff608a99a95d17756ba16cb5461081f68eec059ecfd1a9b5aff0ec5b9150912907e6d0cb1889cba6ab2e9cf07cd4475d79e2a2149568
-
Filesize
384KB
MD55e99921635a308ee76bac745c1d44f21
SHA180ba23cce41b868e0f9e232a00d7de31d3b526c8
SHA2566944172baa1bed38e91e3bfe33c2155a4ee42b8c9628de5e291de10cb3037a2d
SHA51208ac086508ee7118d955b76532d56a9016084a56675d74da775d8de5a0c152c8b63c6dd8e8b21d12c5a6dca4efca98a88ff27b5f3c0c6db26f91b9349eda6505
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD50e117ee14aeb081f0e2ef7020fc66718
SHA158ba4888f8a08f11d60266f9afdd34d3c38b1aee
SHA256f972d92b58a5f28d54bbc5d5e39e64143c4ca59bb305173dc0f04e54d4e8c914
SHA51214ecd6c107d6e07a80026f5a28251832c15e77caf1cd2d41242e00082ea1349caaeff3d333871a96851afc82e0bcb7114753fdd7680242189233c9a69f678e27
-
Filesize
384KB
MD5acc05affc33f693b00563e3cb2edf6b0
SHA1335d3c61948a1e3f852ca893b897a324ae045928
SHA256769309fbdc2ddab46890239c5b9a06565728a91692f7f171e35946f2d4ba5820
SHA512afc8caeb87a91cb0efc08d5497070bfc1bf0332cd119f03d1158def8d470eee29b7b4b78f1a12b9ad8218670a3ae4d3bb756330365a140b744dcedfa89db6a6b
-
Filesize
384KB
MD59cafd1a626fbf22fec02ca304efd0a26
SHA103c0db24f6441c2428f9501ccc202ab872d45ca2
SHA256ef55808e584c2bbf3f9802c6dd24a3d50534c120e9559954c5268315e5cccf27
SHA512db402b0e9941d0f177f689a8a13aeef57754455a400da0cb2f46e8f0657d9039646ce16bbfd41a67d6e2b1327e764a58b165d34118d6d2ea169d42f5052eee36
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
384KB
MD5b590c11a814407928f7be83677eeae17
SHA11feb93614af11964a4c6cbf58f81fd0104d0b028
SHA256e0140f0803298bdf4cf240596a2430ac5c5621de606bb0d7a76d1c2e8f0a9fbc
SHA512b3e64ae4ba14af12856fdb3df117c3188ebf0a29ea644daf984d4483f4dbb0be6278f54a6a3802d721fe9f6482666f3dbb21495c102d2cfbc506ebb5b66e3a01