b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Size

56KB
MD5

01fce7d77edd9cb87d7eda278c91f36c
SHA1

2f79a23eb9f5a67119cc15584642937fa2d83e18
SHA256

b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8
SHA512

3d9f81030dad3bbfc79c10a2610cc73c964719693ea492eb71d4ef04b7d52d1b83569e1b69356a1107708af55044576dcf61098833ea875a95ad90e3ab04a6b4
SSDEEP

768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5GOwekff:V8w2VS9Eovn8KRgWmhZpX1Qvwj

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
1540	Tiwi.exe
4292	IExplorer.exe
5044	winlogon.exe
5068	Tiwi.exe
4296	Tiwi.exe
368	IExplorer.exe
2812	IExplorer.exe
4644	Tiwi.exe
4896	winlogon.exe
2416	winlogon.exe
4112	IExplorer.exe
2408	imoet.exe
1512	imoet.exe
4760	winlogon.exe
2700	cute.exe
3196	cute.exe
1240	imoet.exe
4264	Tiwi.exe
2712	cute.exe
1164	imoet.exe
4072	IExplorer.exe
2364	winlogon.exe
3928	cute.exe
4536	Tiwi.exe
508	imoet.exe
3320	IExplorer.exe
3064	cute.exe
812	winlogon.exe
2188	imoet.exe
3312	Tiwi.exe
3036	cute.exe
2492	IExplorer.exe
3728	winlogon.exe
2844	imoet.exe
2992	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
5068	Tiwi.exe
4296	Tiwi.exe
4644	Tiwi.exe
4264	Tiwi.exe
4536	Tiwi.exe
3312	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\N:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\E:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\B:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\P:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\Y:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\V:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\G:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\Q:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\W:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\S:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\T:	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened for modification	F:\autorun.inf	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened for modification	C:\autorun.inf	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\tiwi.scr	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\Windows\SysWOW64\shell.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\tiwi.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1540	Tiwi.exe
2408	imoet.exe
5044	winlogon.exe
4292	IExplorer.exe
2700	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
1540	Tiwi.exe
4292	IExplorer.exe
5044	winlogon.exe
5068	Tiwi.exe
4296	Tiwi.exe
368	IExplorer.exe
2812	IExplorer.exe
4896	winlogon.exe
4644	Tiwi.exe
2416	winlogon.exe
4112	IExplorer.exe
2408	imoet.exe
4760	winlogon.exe
1512	imoet.exe
2700	cute.exe
1240	imoet.exe
3196	cute.exe
2712	cute.exe
4264	Tiwi.exe
4072	IExplorer.exe
1164	imoet.exe
2364	winlogon.exe
3928	cute.exe
4536	Tiwi.exe
508	imoet.exe
3320	IExplorer.exe
3064	cute.exe
812	winlogon.exe
2188	imoet.exe
3312	Tiwi.exe
3036	cute.exe
2492	IExplorer.exe
3728	winlogon.exe
2844	imoet.exe
2992	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1540	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	82
PID 3292 wrote to memory of 1540	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	82
PID 3292 wrote to memory of 1540	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	82
PID 3292 wrote to memory of 4292	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	83
PID 3292 wrote to memory of 4292	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	83
PID 3292 wrote to memory of 4292	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	83
PID 3292 wrote to memory of 5044	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	84
PID 3292 wrote to memory of 5044	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	84
PID 3292 wrote to memory of 5044	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	84
PID 3292 wrote to memory of 5068	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	85
PID 3292 wrote to memory of 5068	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	85
PID 3292 wrote to memory of 5068	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	85
PID 1540 wrote to memory of 4296	1540	Tiwi.exe	86
PID 1540 wrote to memory of 4296	1540	Tiwi.exe	86
PID 1540 wrote to memory of 4296	1540	Tiwi.exe	86
PID 3292 wrote to memory of 368	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	87
PID 3292 wrote to memory of 368	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	87
PID 3292 wrote to memory of 368	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	87
PID 1540 wrote to memory of 2812	1540	Tiwi.exe	88
PID 1540 wrote to memory of 2812	1540	Tiwi.exe	88
PID 1540 wrote to memory of 2812	1540	Tiwi.exe	88
PID 3292 wrote to memory of 4896	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	89
PID 3292 wrote to memory of 4896	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	89
PID 3292 wrote to memory of 4896	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	89
PID 4292 wrote to memory of 4644	4292	IExplorer.exe	90
PID 4292 wrote to memory of 4644	4292	IExplorer.exe	90
PID 4292 wrote to memory of 4644	4292	IExplorer.exe	90
PID 1540 wrote to memory of 2416	1540	Tiwi.exe	91
PID 1540 wrote to memory of 2416	1540	Tiwi.exe	91
PID 1540 wrote to memory of 2416	1540	Tiwi.exe	91
PID 4292 wrote to memory of 4112	4292	IExplorer.exe	92
PID 4292 wrote to memory of 4112	4292	IExplorer.exe	92
PID 4292 wrote to memory of 4112	4292	IExplorer.exe	92
PID 3292 wrote to memory of 2408	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	93
PID 3292 wrote to memory of 2408	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	93
PID 3292 wrote to memory of 2408	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	93
PID 1540 wrote to memory of 1512	1540	Tiwi.exe	94
PID 1540 wrote to memory of 1512	1540	Tiwi.exe	94
PID 1540 wrote to memory of 1512	1540	Tiwi.exe	94
PID 4292 wrote to memory of 4760	4292	IExplorer.exe	95
PID 4292 wrote to memory of 4760	4292	IExplorer.exe	95
PID 4292 wrote to memory of 4760	4292	IExplorer.exe	95
PID 3292 wrote to memory of 2700	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	96
PID 3292 wrote to memory of 2700	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	96
PID 3292 wrote to memory of 2700	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	96
PID 4292 wrote to memory of 1240	4292	IExplorer.exe	97
PID 4292 wrote to memory of 1240	4292	IExplorer.exe	97
PID 4292 wrote to memory of 1240	4292	IExplorer.exe	97
PID 1540 wrote to memory of 3196	1540	Tiwi.exe	98
PID 1540 wrote to memory of 3196	1540	Tiwi.exe	98
PID 1540 wrote to memory of 3196	1540	Tiwi.exe	98
PID 5044 wrote to memory of 4264	5044	winlogon.exe	99
PID 5044 wrote to memory of 4264	5044	winlogon.exe	99
PID 5044 wrote to memory of 4264	5044	winlogon.exe	99
PID 4292 wrote to memory of 2712	4292	IExplorer.exe	102
PID 4292 wrote to memory of 2712	4292	IExplorer.exe	102
PID 4292 wrote to memory of 2712	4292	IExplorer.exe	102
PID 3292 wrote to memory of 1164	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	103
PID 3292 wrote to memory of 1164	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	103
PID 3292 wrote to memory of 1164	3292	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe	103
PID 5044 wrote to memory of 4072	5044	winlogon.exe	104
PID 5044 wrote to memory of 4072	5044	winlogon.exe	104
PID 5044 wrote to memory of 4072	5044	winlogon.exe	104
PID 5044 wrote to memory of 2364	5044	winlogon.exe	105

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

C:\Users\Admin\AppData\Local\Temp\b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe
"C:\Users\Admin\AppData\Local\Temp\b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3292
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1540
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4296
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1512
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3196
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4292
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4644
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4112
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4760
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1240
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5044
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4264
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4072
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3064
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5068
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:368
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2408
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4536
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3320
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:812
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2188
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2700
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3312
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2492
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3728
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
aeb993e0d028ca6c7fa400fb73821cd7

SHA1
58888ff34cfde584c600076b9c6adf2a2c337db8

SHA256
4516f7426c81c85ab8d5b55477f4102f0b4332ddd5eef40931c6dc5663ddc7aa

SHA512
d0a172a39987815d7755f7609638ee8561d82bd46962952fe33582d8e93c047eb2241953c66d31d8133a4d32f0443901388f6660cc190f5451b1d33bc9b42d75

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
56KB

MD5
d6eee43c03eb3d4719b294d0115f2e05

SHA1
286182c6f8a40651f2b49e8975ae7e1f614dcf9d

SHA256
110ea3f739863b1a7230b4e6a5412d5467ece673dcee6dd19f4a5c5116455c5d

SHA512
a9c8b7a639eefb2141134fab665c7a1220eaf7431c62a186e919ccca80bccb436db5085eb057826ded24efca3aaad38dbbc43889011ae647036eca08b88e2326

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
56KB

MD5
cb8d0b563828001be3d7add3c08c62eb

SHA1
9b29fa27eba32fd37a665858893f405e64eed3d6

SHA256
ee5cd29d86efa63be468a260cec9444a4cf3eb53efdc8efb1a818d5cab4677d9

SHA512
996ff592ddf6debc6758cb0fe4e5256f92d4365219c8cbc01bb14d2916b39ff052ebce3c050cdbe977e2b7123af65a34d3465fbc835e7b1d40fd5c7cc7b8e001

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
56KB

MD5
f6e0d8475aab32683d32781bcd108fa0

SHA1
49f6200b023c552a16913366f8aeaf64c6a72146

SHA256
5ad254dc6e78667f9131f632fa4a722b97bc36a08a365b4a19681f39538fa512

SHA512
d299788cdb0787fa5f83772687d4bcb8f67715b165bc332c605e70389ab4a657663abc18329dd624f1eb5ebb03667dd8c06039206b43f8c0c7bed21dd1f8eda8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
56KB

MD5
fd0fc242881156edfe6fbffd2fd78c0b

SHA1
486cd34127aa44a2bc2ad947efc75048624b332d

SHA256
f929eb615f1e139257a0f011ff58e917028837213d745943a663a5cc4e432cb9

SHA512
b29e7490c567e952d8b0e4ffa2d68828d53e7e6bc44ed615f05f179e402f0ab799468d18dd7c5ccc97b39783c9157a069f364720c2211e008131b492c1430474

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
56KB

MD5
83298e5425f366b963a264d5785c5ddc

SHA1
a27555697e5321ff93e2e795bd86657c2bcaf5aa

SHA256
974a0c5e4b85f926cd0a664dc15015666da9d7110b6d61d90a12e36e23b4fd05

SHA512
fb311ff3134eebfc6b1da86094e9cb994a63146bc7a7d99f4fce3c3a125ef045c7f33d6eddee9a6681a31d97d32acf3b44ae80ddc6c4878d72dc93df806d0141

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
56KB

MD5
f671b5bac5b3a1d7b20c1c82818f3553

SHA1
2a726f85544a29ff37d8d3be9d7489c7ab2bbed2

SHA256
934d6b788d825fa2520ca41bf581f2bc01397e015f361bce546b2b360842638b

SHA512
47e9df5d35b9bc515f792c33aff998dfd61fad51165b452c54ce7a9d1b094ffcb20ea3260472b57c6d10896b25bdece19c70ea957682411c69a18c6a68927e66

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
56KB

MD5
591cd97ad41529192c989cabf3c5c3f7

SHA1
5f4e437312173c832bf7ed1224386e01d6e6a9c1

SHA256
c6a7a6e0aebca47a6bcfee453ebb37829dd449fd0257e32f6934015a111180c7

SHA512
0f544e9704181c7974894682d0710f4cb1bf33b012fd4956f6cd7518ea4891851381d1238a8f27984f1e477bfbd185e4473688e0c7dfc2e73b329aa28319de1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
a5590cf19ff7c28e3e1ff50ed8096859

SHA1
2b5c0f71a06080330eb8ffbfb9592c30d7d03de3

SHA256
ba78aa89a51729f54724c4b494e420db8a82c884835d107af6279dced9e132dc

SHA512
7052fb29444bd3ce21b6f09453a1017ae9c8d2d875f2618f26caf0922de1ab392743a7c3e7266292a2108e1dac2aa712d7063d143c53160711d57fa87483f23b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
27da03ea0b4b9391c46889e9f8b16ada

SHA1
68f7f1f94cb403d7a9bf3e3211a5e638520315e4

SHA256
a0909fe064c6b6ffeff45782979a5dbf70f2b4254b09c501458bf9e1fddcab15

SHA512
21a19ac698c06699200c2af7fc38f703c5f9ba03a98c2e92305e920cf1462ccd7fcebcecdaff7918a2c0bb62931cce49187bae7bc74819e24eaca5b1f249951e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
3d6daf25ebffe840af3c399a84cb6248

SHA1
16f6c8454395a39c0a52091233a48b5a10b98208

SHA256
3f3c9d630b0d18c365d36d4298f696f82d5d61b08199b4e0f81ae4dd3a67ec68

SHA512
e9a600a31a4fd4c98ee76c536c0d28b31e577a5b6937d18dc514075da1d81a9c59cec2fefc25fbac45ca0303e78de90ca3d13ccf821245a5b4d0a1cd4e09cabe

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
56KB

MD5
1a4647777a32cc57499086ec35a5e3f9

SHA1
9d74c1738e76456a60e84f539fd1719674f5c310

SHA256
91e415a1e0f3a16ce23be2805cf390ac755c9d70ad6e2579a03fac2fe69b83c7

SHA512
75111aca8a6cb81e57af1e6525431c441d5327291817f4608eb4ea4aeae8d590eeda0f63bf714fe07c657ac38e5a57224160d7c176ebb98cd51658154c1387b5

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
56KB

MD5
93356271e43f95f1ab9e009627392b2b

SHA1
036407e92bb78dadbb83f179fe8c0fc7644cc4e5

SHA256
27d4529991d7014b9b265fb2a98e258f942c09550ef91285beac03301b6a8685

SHA512
009162516cefebc47e242304c7993ce12811532703edc36b4fdf0bc829886a4a1397b5eec8e29ce49d4b65286dba938e56e9cee3e7a26a09ba26f7e2b05664a5

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
56KB

MD5
01fce7d77edd9cb87d7eda278c91f36c

SHA1
2f79a23eb9f5a67119cc15584642937fa2d83e18

SHA256
b283a03560d69a54742c2b78e27727f91a13e4c4c26b4054b7020cacfa0900b8

SHA512
3d9f81030dad3bbfc79c10a2610cc73c964719693ea492eb71d4ef04b7d52d1b83569e1b69356a1107708af55044576dcf61098833ea875a95ad90e3ab04a6b4

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
56KB

MD5
15f9b64ec82a4fe5370a097785f5b704

SHA1
57560701bbfcf1c4ad584e7827012f9d12d80f1d

SHA256
ae8971f30ec6043dc80a2c453636669b7054647d87c954f1b98a249c8d0fd305

SHA512
44d3ca1bad80fd3b9d478ca48e6bca7825c1275b64ee820895d5178365656e22d5e3a4c30c2a354b1a7f0d7932c2d4a6a3924e6b604a2c0e8af730ec5b1bc893

Download Submit
C:\Windows\tiwi.exe

Filesize
56KB

MD5
05b2bfba08934c67b1422d09b9ee39fa

SHA1
2847463dc0c3c2f9df1fc0ae016a579a2d529a5a

SHA256
15274e10a542c21a91750ebb87ed06d4add399965e0b574ffa57bad6998611de

SHA512
d3eb1e7b42f38390a9512e1aad2b2012d60b8d1af2ee66a60dab5436ded66af709440ebb6cf2b5bb9369ae38080b1da165df70b107867357914d91e2b4d8cc88

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
56KB

MD5
5b8b83a4794dbb67c50039054e65fa31

SHA1
5db339921947cda51e3882096695e85c34b7c1ed

SHA256
c14ebb1c4d4c6edca00ff96f5710fba216e643890cea35a8ea2f55edd5667293

SHA512
da378d637fb37eaa377dcdd1d8896e795b85bd596782fa68888b6ba94e304a35ea3a203acf673a13dc39a10527b865f79c324597defd492e20ce3a41306d758f

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/368-192-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/368-215-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1512-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1512-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1540-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1540-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2408-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2408-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2416-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2416-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2700-427-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2812-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2812-210-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3292-252-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3292-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3292-384-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4112-271-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4112-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4292-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4292-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4296-188-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4296-209-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4644-242-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4644-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4760-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4760-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4896-249-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4896-243-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5044-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5044-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5068-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download