Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Resource
win10v2004-20241007-en
General
-
Target
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
-
Size
384KB
-
MD5
b4f8597636f01b29ead992b7beda4b56
-
SHA1
baf39a69fe0e0fb907251caad32678e1d406f500
-
SHA256
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c
-
SHA512
05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390
-
SSDEEP
6144:V/OZpls/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZk:V/Ms/MP/Mx/M7/Mx/M4/MpBE/z
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2376 Tiwi.exe 2524 IExplorer.exe 1120 winlogon.exe 1996 Tiwi.exe 1868 Tiwi.exe 1644 Tiwi.exe 1104 Tiwi.exe 1160 IExplorer.exe 628 IExplorer.exe 2460 IExplorer.exe 672 IExplorer.exe 1100 winlogon.exe 1808 winlogon.exe 1980 winlogon.exe 1164 winlogon.exe 2416 imoet.exe 1960 imoet.exe 2372 imoet.exe 2452 imoet.exe 2716 cute.exe 2752 cute.exe 2852 cute.exe 2728 imoet.exe 2844 cute.exe 2348 Tiwi.exe 2124 cute.exe 2680 Tiwi.exe 308 IExplorer.exe 2936 IExplorer.exe 592 winlogon.exe 596 imoet.exe 1668 winlogon.exe 1664 imoet.exe 1984 cute.exe 2980 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2376 Tiwi.exe 2376 Tiwi.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2524 IExplorer.exe 2524 IExplorer.exe 1120 winlogon.exe 1120 winlogon.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2524 IExplorer.exe 1120 winlogon.exe 2524 IExplorer.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2376 Tiwi.exe 2376 Tiwi.exe 1120 winlogon.exe 2376 Tiwi.exe 2376 Tiwi.exe 1120 winlogon.exe 2524 IExplorer.exe 2524 IExplorer.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2376 Tiwi.exe 2376 Tiwi.exe 1120 winlogon.exe 1120 winlogon.exe 2524 IExplorer.exe 2524 IExplorer.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 1960 imoet.exe 1960 imoet.exe 2716 cute.exe 2716 cute.exe 1960 imoet.exe 1960 imoet.exe 1960 imoet.exe 2716 cute.exe 2716 cute.exe 2716 cute.exe 2716 cute.exe 1960 imoet.exe 1960 imoet.exe 2716 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\B: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\Y: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\X: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\K: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\R: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\E: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\Z: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\L: 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\L: imoet.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created F:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification F:\autorun.inf 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\SysWOW64\tiwi.scr 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\SysWOW64\IExplorer.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\ imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2376 Tiwi.exe 1960 imoet.exe 1120 winlogon.exe 2524 IExplorer.exe 2716 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 2376 Tiwi.exe 2524 IExplorer.exe 1120 winlogon.exe 1868 Tiwi.exe 1996 Tiwi.exe 1104 Tiwi.exe 1644 Tiwi.exe 628 IExplorer.exe 2460 IExplorer.exe 672 IExplorer.exe 1160 IExplorer.exe 1100 winlogon.exe 1808 winlogon.exe 1164 winlogon.exe 1980 winlogon.exe 1960 imoet.exe 2416 imoet.exe 2372 imoet.exe 2452 imoet.exe 2716 cute.exe 2752 cute.exe 2852 cute.exe 2844 cute.exe 2728 imoet.exe 2124 cute.exe 2348 Tiwi.exe 2680 Tiwi.exe 308 IExplorer.exe 592 winlogon.exe 2936 IExplorer.exe 1668 winlogon.exe 596 imoet.exe 1664 imoet.exe 1984 cute.exe 2980 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2376 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 30 PID 2412 wrote to memory of 2376 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 30 PID 2412 wrote to memory of 2376 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 30 PID 2412 wrote to memory of 2376 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 30 PID 2412 wrote to memory of 2524 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 2412 wrote to memory of 2524 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 2412 wrote to memory of 2524 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 2412 wrote to memory of 2524 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 31 PID 2412 wrote to memory of 1120 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 2412 wrote to memory of 1120 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 2412 wrote to memory of 1120 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 2412 wrote to memory of 1120 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 32 PID 2412 wrote to memory of 1996 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 2412 wrote to memory of 1996 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 2412 wrote to memory of 1996 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 2412 wrote to memory of 1996 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 33 PID 2376 wrote to memory of 1868 2376 Tiwi.exe 34 PID 2376 wrote to memory of 1868 2376 Tiwi.exe 34 PID 2376 wrote to memory of 1868 2376 Tiwi.exe 34 PID 2376 wrote to memory of 1868 2376 Tiwi.exe 34 PID 2524 wrote to memory of 1644 2524 IExplorer.exe 35 PID 2524 wrote to memory of 1644 2524 IExplorer.exe 35 PID 2524 wrote to memory of 1644 2524 IExplorer.exe 35 PID 2524 wrote to memory of 1644 2524 IExplorer.exe 35 PID 1120 wrote to memory of 1104 1120 winlogon.exe 36 PID 1120 wrote to memory of 1104 1120 winlogon.exe 36 PID 1120 wrote to memory of 1104 1120 winlogon.exe 36 PID 1120 wrote to memory of 1104 1120 winlogon.exe 36 PID 2376 wrote to memory of 1160 2376 Tiwi.exe 37 PID 2376 wrote to memory of 1160 2376 Tiwi.exe 37 PID 2376 wrote to memory of 1160 2376 Tiwi.exe 37 PID 2376 wrote to memory of 1160 2376 Tiwi.exe 37 PID 2412 wrote to memory of 628 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 2412 wrote to memory of 628 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 2412 wrote to memory of 628 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 2412 wrote to memory of 628 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 38 PID 2524 wrote to memory of 2460 2524 IExplorer.exe 39 PID 2524 wrote to memory of 2460 2524 IExplorer.exe 39 PID 2524 wrote to memory of 2460 2524 IExplorer.exe 39 PID 2524 wrote to memory of 2460 2524 IExplorer.exe 39 PID 1120 wrote to memory of 672 1120 winlogon.exe 40 PID 1120 wrote to memory of 672 1120 winlogon.exe 40 PID 1120 wrote to memory of 672 1120 winlogon.exe 40 PID 1120 wrote to memory of 672 1120 winlogon.exe 40 PID 2412 wrote to memory of 1100 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 2412 wrote to memory of 1100 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 2412 wrote to memory of 1100 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 2412 wrote to memory of 1100 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 41 PID 2524 wrote to memory of 1980 2524 IExplorer.exe 42 PID 2524 wrote to memory of 1980 2524 IExplorer.exe 42 PID 2524 wrote to memory of 1980 2524 IExplorer.exe 42 PID 2524 wrote to memory of 1980 2524 IExplorer.exe 42 PID 1120 wrote to memory of 1808 1120 winlogon.exe 43 PID 1120 wrote to memory of 1808 1120 winlogon.exe 43 PID 1120 wrote to memory of 1808 1120 winlogon.exe 43 PID 1120 wrote to memory of 1808 1120 winlogon.exe 43 PID 2412 wrote to memory of 2416 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 44 PID 2412 wrote to memory of 2416 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 44 PID 2412 wrote to memory of 2416 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 44 PID 2412 wrote to memory of 2416 2412 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe 44 PID 2376 wrote to memory of 1164 2376 Tiwi.exe 45 PID 2376 wrote to memory of 1164 2376 Tiwi.exe 45 PID 2376 wrote to memory of 1164 2376 Tiwi.exe 45 PID 2376 wrote to memory of 1164 2376 Tiwi.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2376 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1960 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:308
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:628
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2716 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5036df02ce71e9ffe4fced48e8feded42
SHA156a43cc6d6b96560ef2db5918e61375f68984973
SHA256bde370742e0fbf5e1f1baaad9fe3c595a0acc1ea994a6cb6f5de08eabfbfdf5b
SHA512491534068489b76e1849b432aa44d9b9fd075ca6f7094172d9d9767be11b6edd8779c5bdc14be45353db590616652d9d337b7f927d1b275991924e820085ea51
-
Filesize
384KB
MD5ddcd6e5988bde2c2c529a7a8d6204af7
SHA15da828892bc306482c6e32c0fb12438ed9c3df59
SHA256b654981eab9b4f17b1073e43931f46814ad3fbe1784f8e93efdc4d5dd67157d9
SHA5128f648596c0432aeedf4bdc3961c8401f763b2790aaaf5a7d9545c28377f279b684fabf6979455d0f700f0acbbd1d20b10800ed3157a4247f8ebc0dfba2acf8f4
-
Filesize
384KB
MD57e291d4a2c183b742d55e0a8c03a71ad
SHA10d37ca0643d2dd88f6fef17556cd9759aaad8007
SHA256ffef798a00f77cb7bf3355ffddb3afb2ce0ee63e396c68ca3836fd535b82d5b6
SHA51219fd6ae402142cfa18c25a5573bc533b2dcc53df1e385114108b0254652257452380aab9d488f7510f4c8b50d74049ae6cf2feb9b735976923ea5b57b65a4653
-
Filesize
384KB
MD5f8710b53ec3d0d1b1f2d7a39c37bc904
SHA147b9a88f164a4de7a6e5b2b2984772bfff09d001
SHA256c7bd813c2e1e3e450fdf4e168bb4a50ae3916ee965ed7faa275661eb0b792d8a
SHA5126dfed5e91763b9993e81a454950a86bd4ac1baa1d210322e4d0ea1d6d5703baa3c0781aa7088d83c5be50abb92eae1a89bef979c8f5cb4d32bc5d3caa63cb7c2
-
Filesize
45KB
MD5ab6c22cdc3a107b5fb4a4f97930bd5d3
SHA1e8a3f4b6b62e49bb7b79264eaa6bc71bf122d41b
SHA256b2604eff768f899234d3073245ac5b4ad77875e53f137dd51bd13d471205e6f9
SHA51286fb6eb13c2c8586c0cccca10122261083ca681a4ac59716c009ad9ec038f7b1b786e2d793f8c83a1f0a8cf1677372e2ddf40d13de83c5b2650a921d457edc56
-
Filesize
45KB
MD53274073e17e214ae8de7af1def72dc2a
SHA1f67d6aaf18bf516a883fb4a6456f58b0a0714aa1
SHA256716ec7a888719ea2c9a23e3fe9fd48fc454f1a5c522f9b1a70770db863ec7716
SHA512840d8dbe6039409b88415a25dd6bc5611bd97bd5ec445bec79e22f77f3946383f1627a9301a12a1f6351ebc6f4e62d9ae94a03495289bba7e173eab2012b01bc
-
Filesize
45KB
MD530635fde519806a383ca0e0f66ef0ecc
SHA11a4ff169ad82d34faa5791bc652234e20ecffe5b
SHA256df51b88cbb4b43f14e494f1753433cc659b2a3dc9f0493c11a76daa3b8bdb55d
SHA512828432139195890813132bc148e7473de6ae7dc98624766f60be36af49d8133267f567213d1bcde72a257a4c5661fe0cc639275cf549d0266d42ccecfc4ece34
-
Filesize
384KB
MD51ab9dbb39a7fde6ff5fae1e5f36aaed9
SHA17b3698c1d042c93fdf9661e42d6197c41efdc99f
SHA25624876f95a7f4622740b9a20472c099500f2723d052a9d3b1b3b4b546a3072033
SHA512fd4d790612f0ed26acf0522246e27b22ac4920ef661d1aa58c60d1c0a8fe881e74ceb41aeff4edbc11a0d7c47ff9a4b1fc62498e3e4c3abb37584bd55d49aad8
-
Filesize
384KB
MD5bc74e979de00f145e9cdb50c34602949
SHA1bcc1665c409de42bd9a0aa3e9a306da7276caf32
SHA2567b57e77382b5fe0b662db4b5e1eb9f3a727b141e724dead4d708df7d07eafdd5
SHA5121d43b7e0594d94b9dd6be0d6bcecd9a52c7ca22c8104ef22b51781628a10fbff4b1c1783bf7b243353915bad743e91338b715da0fa1360f695ebd30ecdc52322
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
384KB
MD5d97b3e4f08e7f5a7dbccec911de078d9
SHA16a4f3918ccd24e78b19d23e0942db13195add795
SHA256d4db22e8cefa6294b6ce3a4e6b6294d055be7d2574f6213235cf35de805f18da
SHA512bdb15b62dcff2c9ed630f4795b90b05525c893cbdb782decc2fa5e3d1def6c972063ed870d923f6bc6122c5a51b3cf1e0151773864450e6d2466acdaf7f75b89
-
Filesize
384KB
MD5fca02995aa554af81d2465930a88d367
SHA129279403c46bce8b7e9017f8eb7022e54e353ab9
SHA256391dfee9a40caf0eb7e5bffbaf8bbc4b57f70ddf316842a1ebb47ddfd62d56ba
SHA512f54190bb597911ad7fe946e1f6b2e54bcf2f010f869e6a0c03eed0b6fed2edfa8c60e2ff969230c49f178fe6607e538e622c3249084d360f59150796e9c21414
-
Filesize
384KB
MD517a9c7fbc04960711086398ef99b90a4
SHA13eb697b1c8b74349bd4a44f0b4bc4ebf04ef7c08
SHA2566262e8a0f6ab20e47a2628946ba23f9f9e94fc9b1cfc3009aaa648f97f7f1a34
SHA512f387a3c91f1c715526804f93c03a3cc298af62dce865ff66496aea0cfef70063850e6bc0c68bb8402b8decf6599d119dd4cfe981a55b5d97c710282d35a4b81b
-
Filesize
384KB
MD5b4f8597636f01b29ead992b7beda4b56
SHA1baf39a69fe0e0fb907251caad32678e1d406f500
SHA25613b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c
SHA51205dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390
-
Filesize
384KB
MD574649c1ac48594162d74e54f47ff993b
SHA1b423593c6cbf54ce8a4c0590a11866fc3406171b
SHA256773c0e8835946dcf7b2346d94d4c5ed969284ef9027629b075ce434fc2d3dcef
SHA512c77cfd5b2dfc998674b8e3465331c636ac603a6ba772a51d152b553df20b28b1cf3d733613502d224f64d17d39c9c878f014053de44edbe421793cafa44e542f
-
Filesize
384KB
MD5f35684e2c5a320f54ae6156e12f4e26e
SHA11ed28093b87640ed2fc9a617896e0f62b8370d05
SHA256e917b14a79cb10eb0f297b1913af85c961b639a98be952a562dfb16f50baf735
SHA512d770bc819270b83a2496b3847c60c62f0721310027e2acaa08de71cf5f731734ce188746827e0ca319239c09a8c349cd6c08be47d875a2137531dd097a1e2567
-
Filesize
384KB
MD5dc819a24eeaa71347bda8f37e433a8f3
SHA1a9384783586547d300f0c5c6d1b4db028c92200b
SHA256f8350a7aec177b07ec28f132611d6a4a08e26bc7db9859d78ff3268d9dba7f3d
SHA512a50e0694fa30e33c13238119d8b613bce78b891596df55161eecffa9ffd0e12cbe5bec978ff59053430864f003c7744c05c16d482b343646642d5e42b749ece4
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD58abe69a7cd58da1b52e2c501b0f7604a
SHA18b7ddfd6c27a41d61c0135765d2b9845f0244ad1
SHA256c578d77c6b770d9f5115b55cd3472f84853a640712c84cf8f0854fee04dbf72d
SHA5120ad7487a02ede80fc728642a275d665ebbc0abd58a9f0df3c15b1792fe74e7c49ab914033a484dea4aee5d41cf8089a42ff29522080470a989b5d79930ea6b91
-
Filesize
384KB
MD5dde9b157723f8d774ba91ef79121742a
SHA19264f7e9100dc43916cd2293b7d71671d4eafe98
SHA256105959c54be09f8fe3320b803159493c7b3bfba6f9464156ad1d99ce02f2dc18
SHA51234f6baab3dfa7f9ad87dd9a26d3dc8ff20f80904462fa26924f8754754d5325d8b823d5b3c02e432de2697dec3d4824d827816b07da4f6acb3627f34c0f03b86
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
384KB
MD5d4079f1555aaa164de7e7babbd94f756
SHA1444811dbd5b6b30c003a5904cd58e5bab251128c
SHA256cd635c9ea3a92a01121e43ee524bf33ae8140abed8c200d3514557fafb4fca8c
SHA512f5de33fcf3faa21f0d34f4ca1c8e8ca7aae14b91b11ed5b88198d03e6ff4cd3f0d12c2b5538d01c36f9c87f83085287b6d009bbbcf5bf9d61e1ef0ddd36d9777