76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Size

160KB
MD5

0cc9f444897fee45503629b76279f788
SHA1

6e58732d285bc6b962a2da432b6606d99f9d106a
SHA256

76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29
SHA512

46e3721d683df1898c3cdd8332a52a8a3d89cab574bfb0f003fb853d1ece9e9f86928709d14d93404f87e04b9166ca205d12f4eae2d98432ed04989da30204da
SSDEEP

1536:zmWwat4oIuRXqHQu+QwPyohUXWIcoTgCwHhmHKNKqODN5YlS0pw8:znzt4oIuR6Hv+QwPyohUsuCqxqA1Sr

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies system executable filetype association 2 TTPs 14 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Blocks application from running via registry modification 6 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
644	2024	WerFault.exe	26

Modifies Control Panel 9 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\s1159 = "Inanimate"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\AutoEndTasks = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\s2359 = "Animate"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 644	2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe	27
PID 2024 wrote to memory of 644	2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe	27
PID 2024 wrote to memory of 644	2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe	27
PID 2024 wrote to memory of 644	2024	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe	27

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe

C:\Users\Admin\AppData\Local\Temp\76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe
"C:\Users\Admin\AppData\Local\Temp\76b96f84cc26050662758376eb5a66a6b81e2c8b05b718344bb91c8bb8a24e29.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 392
  2⤵
  - Program crash
  PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-57-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download