be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Size

488KB
MD5

79af48ffd26e35d00400b84af73b39d6
SHA1

30da916fef4549f8fe094956fccd6f92096230ab
SHA256

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55
SHA512

fa0a4e681e29fffa937bcaa92bb6fc67503071cff81aa172c71aa21cbb218f63549b9403023d7e1910e95cd65552d06f887d573a7ca02cbe735a7ac19db835be
SSDEEP

12288:V/MW/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VJK2O2HIBEd7M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

IExplorer.exewinlogon.exeimoet.execute.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

cute.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

Processes:

Tiwi.exeIExplorer.exeTiwi.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exeIExplorer.exewinlogon.exeimoet.exewinlogon.exeimoet.execute.exeTiwi.exeimoet.exeIExplorer.execute.exewinlogon.execute.exeTiwi.exeTiwi.exewinlogon.exeIExplorer.exeimoet.exeimoet.exewinlogon.exeIExplorer.execute.exeimoet.execute.execute.exewinlogon.exeimoet.execute.exe

pid	Process
2460	Tiwi.exe
2384	IExplorer.exe
1844	Tiwi.exe
1988	Tiwi.exe
2220	Tiwi.exe
1540	IExplorer.exe
2988	IExplorer.exe
2324	winlogon.exe
2516	IExplorer.exe
2160	winlogon.exe
568	imoet.exe
2224	winlogon.exe
1220	imoet.exe
2180	cute.exe
2920	Tiwi.exe
1576	imoet.exe
2760	IExplorer.exe
3068	cute.exe
2056	winlogon.exe
3056	cute.exe
2936	Tiwi.exe
2612	Tiwi.exe
2864	winlogon.exe
2968	IExplorer.exe
2932	imoet.exe
3000	imoet.exe
2856	winlogon.exe
3012	IExplorer.exe
2944	cute.exe
2976	imoet.exe
2972	cute.exe
784	cute.exe
1100	winlogon.exe
1932	imoet.exe
2092	cute.exe

Loads dropped DLL 53 IoCs

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe

pid	Process
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2460	Tiwi.exe
2460	Tiwi.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2460	Tiwi.exe
2460	Tiwi.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2384	IExplorer.exe
2460	Tiwi.exe
2460	Tiwi.exe
2384	IExplorer.exe
2384	IExplorer.exe
2384	IExplorer.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2460	Tiwi.exe
2460	Tiwi.exe
2384	IExplorer.exe
2384	IExplorer.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2324	winlogon.exe
2324	winlogon.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2324	winlogon.exe
2384	IExplorer.exe
2384	IExplorer.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
568	imoet.exe
568	imoet.exe
2324	winlogon.exe
2324	winlogon.exe
568	imoet.exe
568	imoet.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2180	cute.exe
2180	cute.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
568	imoet.exe
2324	winlogon.exe
2324	winlogon.exe
568	imoet.exe
568	imoet.exe
2180	cute.exe
2180	cute.exe
2180	cute.exe
2180	cute.exe
2180	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

winlogon.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeIExplorer.execute.exeimoet.exeTiwi.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.execute.exeimoet.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winlogon.execute.exeTiwi.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeIExplorer.exeimoet.exe

description	ioc	Process
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\S:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\V:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\H:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\I:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\Q:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\Z:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\E:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\L:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\O:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\X:	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\N:	cute.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Tiwi.exeIExplorer.exewinlogon.exeimoet.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.execute.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Tiwi.exe

description	ioc	Process
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

Processes:

IExplorer.exewinlogon.exeIExplorer.execute.exeTiwi.exeimoet.exeIExplorer.exeIExplorer.exeIExplorer.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeIExplorer.exeIExplorer.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\tiwi.scr	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File created	C:\Windows\SysWOW64\shell.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe

Drops file in Windows directory 26 IoCs

Processes:

IExplorer.exeTiwi.exeIExplorer.execute.exewinlogon.exeIExplorer.exeIExplorer.exeIExplorer.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeIExplorer.exeimoet.exeIExplorer.exe

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IExplorer.exeimoet.exeimoet.exewinlogon.exeimoet.exeTiwi.exeimoet.exeimoet.execute.exewinlogon.exeTiwi.exeIExplorer.exeIExplorer.exeTiwi.execute.execute.exewinlogon.execute.exeIExplorer.exeTiwi.exeTiwi.exeimoet.exeIExplorer.exewinlogon.execute.exeTiwi.exeIExplorer.exewinlogon.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exewinlogon.execute.exewinlogon.exeIExplorer.exeTiwi.exeimoet.execute.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe

Modifies Control Panel 54 IoCs

evasion

Processes:

Tiwi.exeIExplorer.exewinlogon.execute.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeimoet.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Mouse\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

Tiwi.exeIExplorer.exewinlogon.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.execute.exeimoet.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exewinlogon.execute.exeIExplorer.exeimoet.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

Notepad.exe

pid	Process
2252	Notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe

pid	Process
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

Tiwi.exeimoet.exewinlogon.exeIExplorer.execute.exe

pid	Process
2460	Tiwi.exe
568	imoet.exe
2324	winlogon.exe
2384	IExplorer.exe
2180	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exeTiwi.exeIExplorer.exeimoet.exewinlogon.exewinlogon.exeimoet.execute.exeTiwi.exeIExplorer.exeimoet.execute.execute.exeTiwi.exewinlogon.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exewinlogon.exeimoet.exeIExplorer.exeimoet.execute.execute.execute.exewinlogon.exeimoet.execute.exe

pid	Process
2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
2460	Tiwi.exe
2384	IExplorer.exe
1844	Tiwi.exe
1988	Tiwi.exe
1540	IExplorer.exe
2988	IExplorer.exe
2324	winlogon.exe
2220	Tiwi.exe
2516	IExplorer.exe
568	imoet.exe
2160	winlogon.exe
2224	winlogon.exe
1220	imoet.exe
2180	cute.exe
2920	Tiwi.exe
2760	IExplorer.exe
1576	imoet.exe
3068	cute.exe
3056	cute.exe
2936	Tiwi.exe
2056	winlogon.exe
2612	Tiwi.exe
2968	IExplorer.exe
2864	winlogon.exe
3000	imoet.exe
2856	winlogon.exe
2932	imoet.exe
3012	IExplorer.exe
2976	imoet.exe
2944	cute.exe
2972	cute.exe
784	cute.exe
1100	winlogon.exe
1932	imoet.exe
2092	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeTiwi.exeIExplorer.exe

description	pid	Process	procid_target
PID 2156 wrote to memory of 2460	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	30
PID 2156 wrote to memory of 2460	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	30
PID 2156 wrote to memory of 2460	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	30
PID 2156 wrote to memory of 2460	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	30
PID 2460 wrote to memory of 2252	2460	Tiwi.exe	31
PID 2460 wrote to memory of 2252	2460	Tiwi.exe	31
PID 2460 wrote to memory of 2252	2460	Tiwi.exe	31
PID 2460 wrote to memory of 2252	2460	Tiwi.exe	31
PID 2156 wrote to memory of 2384	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	32
PID 2156 wrote to memory of 2384	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	32
PID 2156 wrote to memory of 2384	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	32
PID 2156 wrote to memory of 2384	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	32
PID 2156 wrote to memory of 1844	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	33
PID 2156 wrote to memory of 1844	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	33
PID 2156 wrote to memory of 1844	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	33
PID 2156 wrote to memory of 1844	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	33
PID 2460 wrote to memory of 1988	2460	Tiwi.exe	34
PID 2460 wrote to memory of 1988	2460	Tiwi.exe	34
PID 2460 wrote to memory of 1988	2460	Tiwi.exe	34
PID 2460 wrote to memory of 1988	2460	Tiwi.exe	34
PID 2384 wrote to memory of 2220	2384	IExplorer.exe	35
PID 2384 wrote to memory of 2220	2384	IExplorer.exe	35
PID 2384 wrote to memory of 2220	2384	IExplorer.exe	35
PID 2384 wrote to memory of 2220	2384	IExplorer.exe	35
PID 2460 wrote to memory of 1540	2460	Tiwi.exe	36
PID 2460 wrote to memory of 1540	2460	Tiwi.exe	36
PID 2460 wrote to memory of 1540	2460	Tiwi.exe	36
PID 2460 wrote to memory of 1540	2460	Tiwi.exe	36
PID 2156 wrote to memory of 2988	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	37
PID 2156 wrote to memory of 2988	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	37
PID 2156 wrote to memory of 2988	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	37
PID 2156 wrote to memory of 2988	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	37
PID 2460 wrote to memory of 2324	2460	Tiwi.exe	38
PID 2460 wrote to memory of 2324	2460	Tiwi.exe	38
PID 2460 wrote to memory of 2324	2460	Tiwi.exe	38
PID 2460 wrote to memory of 2324	2460	Tiwi.exe	38
PID 2156 wrote to memory of 2160	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	39
PID 2156 wrote to memory of 2160	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	39
PID 2156 wrote to memory of 2160	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	39
PID 2156 wrote to memory of 2160	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	39
PID 2460 wrote to memory of 568	2460	Tiwi.exe	41
PID 2460 wrote to memory of 568	2460	Tiwi.exe	41
PID 2460 wrote to memory of 568	2460	Tiwi.exe	41
PID 2460 wrote to memory of 568	2460	Tiwi.exe	41
PID 2384 wrote to memory of 2516	2384	IExplorer.exe	40
PID 2384 wrote to memory of 2516	2384	IExplorer.exe	40
PID 2384 wrote to memory of 2516	2384	IExplorer.exe	40
PID 2384 wrote to memory of 2516	2384	IExplorer.exe	40
PID 2384 wrote to memory of 2224	2384	IExplorer.exe	42
PID 2384 wrote to memory of 2224	2384	IExplorer.exe	42
PID 2384 wrote to memory of 2224	2384	IExplorer.exe	42
PID 2384 wrote to memory of 2224	2384	IExplorer.exe	42
PID 2156 wrote to memory of 1220	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	43
PID 2156 wrote to memory of 1220	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	43
PID 2156 wrote to memory of 1220	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	43
PID 2156 wrote to memory of 1220	2156	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe	43
PID 2460 wrote to memory of 2180	2460	Tiwi.exe	44
PID 2460 wrote to memory of 2180	2460	Tiwi.exe	44
PID 2460 wrote to memory of 2180	2460	Tiwi.exe	44
PID 2460 wrote to memory of 2180	2460	Tiwi.exe	44
PID 2384 wrote to memory of 1576	2384	IExplorer.exe	45
PID 2384 wrote to memory of 1576	2384	IExplorer.exe	45
PID 2384 wrote to memory of 1576	2384	IExplorer.exe	45
PID 2384 wrote to memory of 1576	2384	IExplorer.exe	45

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

Tiwi.exeIExplorer.execute.exebe27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exeimoet.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe
"C:\Users\Admin\AppData\Local\Temp\be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2460
- - C:\Windows\Notepad.exe
    Notepad.exe C:\Present.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2252
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2324
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2920
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2760
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2056
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2932
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2972
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:568
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2936
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2856
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2976
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:784
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2180
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2612
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3012
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1100
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1932
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2092
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2384
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2224
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3056
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1844
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
6269902e18345bb65bc0ae490f36acd7

SHA1
e15efe2dee7686e8badb4a30ca7a28601ba66ea4

SHA256
62d715b7c3cc0b942e4e63e326277375732e26be310fc1c75cdef9a74a2d4943

SHA512
5d6107e1a62ec1e9327c45b9e481b3d3133d13cf15a0fa22c67dffdd5b6b446beb123d8692d9e3e149475894452ca136cd1395ffb03127be78500ea57b4480bc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
2bcadf20b96678ab6f0da413a1ce1820

SHA1
b5aa5808ab5d30b63aaea5ed08cafd2f0b28de33

SHA256
1bb8f4a81fa0c168386981c15f4eeea963119d27577879fdf76ad7cfbf75c88f

SHA512
4b48102145dd1ef3fec68d8bbc8753c479a904779beeff8812cea63b103fe19c34f4f0c2d02ce80f0df9b9b15730a599f77f5614ea44063693b8d4221767a8d6

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
d69a87d964c2e9413e8d8241ea2048b1

SHA1
f056c77594e69ef369779589cd941bfa45dce552

SHA256
5ecc87954f37b428e510cdc8fb062e1c8143c0f114f50811e9c12f46ff6fd81f

SHA512
a8a56247c1d07db5f59d641d1b099a66ffc47994aa12f57154a689bf18531563a9976264ccf079ae0fc8f9342fdb762a316df275a2837d40ea5f25bf9088c1be

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
86c4bb2f955aa84ffe0e55d9e224c5fa

SHA1
e212003a4c2f64fac9b476865151acc69f798ac5

SHA256
716b70bdbb2a3f3e8ca13e52a2ea4f336f4bf0aa1525fe793d00362434d61115

SHA512
2890e422141e457e8e4f1f5a9834c0f28ccf1472aed52d5d17a417e8cf75a43a97e2e767d94eceb37083a01058d13861a2ee8242844f1871251a85ce42bb02e6

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
ea5fbe9a61388d960086308772949b34

SHA1
800dd65570020702144b6137275239339ad04a7d

SHA256
4b2479138e928b6b8b29bdae3dece836ad0bf59531d9f97ce9732090a8e81d12

SHA512
e1e8c0cd8926bb896f92287e0f097ffddd2ebc57852ca92426644f5739a1e0dd9e598ca3a794007ef1900b3cb26ae40bdaf2913e6bc3c5f513de3c118a6ec370

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
e8868be80c90617d5867b91021324e1f

SHA1
f8b706d6540b2b0e7859aa664c436e3b538cd92c

SHA256
36e23986dca74065d263a661104ef62e289dc6c4edb23990aa01d0e0c092fbc4

SHA512
6df1a1484f551753fd3ad047b1b5356b8ab1accf733ed4602e512c224b75cb9dbd699fae96b405b46853178ace4e0c29c150364f7cf5805552435102d01a3c16

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
488KB

MD5
92c3f1265ca618544155322694d3bbf0

SHA1
40d4924c0dc1b094a7241f3f06651ef5ee0a10a2

SHA256
d32fba68953b824ecae8ee88798cb8f84174c353f043e3966aff663bc583b84a

SHA512
eb901cd85e96edc785e6a2b29e61b33d0d9a3e0f8d87b4df51bc63c822a59a223fbd1fc6866289cefe5624acd1844f10cda8ba86c66e89fb76b7770a1ed4d5fe

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
a77e72b2e64939b9a19a76a53cb5f915

SHA1
bf391354e6d8d53efc0be5a20f2cc1d82cc65ce2

SHA256
61c53bd1c4c416c8ff5912bd8ca04bb44f4318afb40ebd7d01f79cbc61f7ca02

SHA512
96d6b02363e51edcb5ad08b95bdc025bd690b37dad90954366b256c4c556fd2d90067444e58bdad6d6fbe14a9b02c5ea787f5440254f7f2b0f20b7f504c7c37d

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
b3c38f9894ee3e8fe1a456c1ac434334

SHA1
55b84e5b985c98ac905a699f1a93758c8a15294a

SHA256
143e7cb9e2acc9b3806c281ebeaee075a519329e2b231d10ddd4ceed9b5bd7b4

SHA512
1c93080ee614b964b373d65d84743183142085bf17571e7d8ecd59215f37b89e3a2f3d1de8907cfe927a3240993d0d9a69a01eff8bf03e388aa5514942c67802

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
41434a1226d132edf3c49473f849b861

SHA1
1214884a9181fd3306d0334cf6fee2bf5a8dbfd3

SHA256
9691909015ca1de3532dd29e41421833aa9217b706f0b20ef7852c4727e0404d

SHA512
c3a3e2c94184736a2b1d4e200a9781a0494e75bd2a379d1d731c75b156d7b575b36fa972eaae0ec0f244a9ede43f9732290eb27e86f535c8b74f05ca31415141

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
79af48ffd26e35d00400b84af73b39d6

SHA1
30da916fef4549f8fe094956fccd6f92096230ab

SHA256
be27a344debe1ecfbb9947247ef1b94b3b201d84215f48eee0e74bd54d0a0b55

SHA512
fa0a4e681e29fffa937bcaa92bb6fc67503071cff81aa172c71aa21cbb218f63549b9403023d7e1910e95cd65552d06f887d573a7ca02cbe735a7ac19db835be

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
01ed72d8a0a58d4b6721a32df1c26627

SHA1
9b31318cf66de3e762197364e4b8cb17c8d95696

SHA256
484a744445d56f644b6062bbb05118c1bc54e4b1788f97a6b7c960a3c6b147dc

SHA512
bf5dfde415dfa3d1dd3fce3e6ee30e8abc565ad977ab9784bc8cbdac618f7389a262729458d96e0c3c9821a5bf84e837e2dac85bcac7968b4b5fbff6b580b2fe

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
f5d1d4755bcee366d08ccda2954fc420

SHA1
79fdfe4ca24d126d34dc2eb658f9f73526690163

SHA256
40e6057cf59eb9c9ae62e7340be917e2fba6ec24d782c95d6fe708dd09f0b3b9

SHA512
715b689e6acd4d40631d8ccb5fa3108730f926cfe8f0afc15ad7e03ddc485d3689b4ab8ba1cc91610d9d4432a300007c63040c85ebac6ade4465eb1324b97cc9

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
3b5dab6210ad5d9ba758d8fc3eb82d7e

SHA1
806f30856667d0501d437474ab2c67bc463acc70

SHA256
c11e3a83f1e2e21220d864aa460bf7c3174d6246f3e21a0916343dab42687ad7

SHA512
6f204d3e906ff3f250f4292aacbc1d9d07ac19b082aa9404a4a3461866a6f13e7118c6e7e312812d84f209252d3d27e99f60349caf23b35301d954349ac1e353

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
f72fe86e18fc6a11c4e38ea77670fff8

SHA1
a3ef5ad5d9e06a8397008a9fd7af8b60693c5b67

SHA256
9c585d89d9b7767bd8f085bc2a655e38fa261966ddcaf85c7c048cb100765e57

SHA512
f3872c22badf206da25d2269451143ed056eaa66c41123a1cafcfe8afcca71044a03ec5b72aa76d9805849dcd7a84a09ef2011ed908b6d3a0d44a05235e45a80

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
488KB

MD5
57160df92590641892ff141093d230dd

SHA1
5a203ae2a38a32fcd8933c564f336d9272242b5a

SHA256
9b26e67d03b3f1d6405940e2c7b0fc4cd1f36e33c1b996f8b970e691ba6d1a6d

SHA512
abc28af9a73a9ede67243557b2ebb0ba66c55c6824f506ec3f6888d2708b28d769dd57c70a38c4a46dbb901ace66ebf41a608e95730f5cb397ebad35cf479df6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
488KB

MD5
a86e65154531d2a42e6aeb029bbba07e

SHA1
39e75dc043bed67a83606b277ecd141654631318

SHA256
38d152a915628bd7fa5769ee4b4c8701e86fbd31819e05062722ed892272a302

SHA512
8b588fa44d58f74c6cab73a1678ef795b581e34b57e7a038473dc9fdeb9ed8db4052b0aec5692632cc45ebbac7b1b02d36830f235b5ddc96ff4fba8a4011bf85

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
9c22e41ef78354e2043c166c4ada9ec3

SHA1
9a235a21bfe45107d2823447e4fd3ccd988ff18d

SHA256
828f2360252c202cd922bb645b49e3b93d28d53dc470d7d67442bf854dac9b09

SHA512
3b7144220623071132b77161459eef5b47b2fc3915dcc81c4507a0ed1a3cefe0a6a2ab0dbcdca90236d67c88c391b6ce749c610a65b006947fbbf7e8c77612dc

Download Submit
memory/1540-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1540-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1844-272-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1844-167-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1844-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1988-213-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1988-267-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1988-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1988-263-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2156-271-0x0000000003810000-0x0000000003E0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2156-112-0x0000000003810000-0x0000000003E0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-165-0x0000000003910000-0x0000000003F0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-99-0x0000000003810000-0x0000000003E0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-278-0x0000000003910000-0x0000000003F0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-444-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2156-97-0x0000000003810000-0x0000000003E0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-110-0x0000000003810000-0x0000000003E0F000-memory.dmp

Filesize
6.0MB

Download
memory/2156-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2220-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2220-297-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2220-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2384-113-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2384-376-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2384-259-0x0000000003760000-0x0000000003D5F000-memory.dmp

Filesize
6.0MB

Download
memory/2384-451-0x0000000003760000-0x0000000003D5F000-memory.dmp

Filesize
6.0MB

Download
memory/2460-269-0x0000000003710000-0x0000000003D0F000-memory.dmp

Filesize
6.0MB

Download
memory/2460-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2460-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2460-457-0x0000000003710000-0x0000000003D0F000-memory.dmp

Filesize
6.0MB

Download
memory/2460-456-0x0000000003710000-0x0000000003D0F000-memory.dmp

Filesize
6.0MB

Download
memory/2460-276-0x0000000003710000-0x0000000003D0F000-memory.dmp

Filesize
6.0MB

Download
memory/2612-431-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2864-430-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2864-429-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2920-371-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2936-420-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2936-422-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2976-440-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/3056-401-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download