Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 01:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe
-
Size
52KB
-
MD5
d5a12969c9c21b0eda19b157eee676d9
-
SHA1
3bcb610ea66d2922ea2e0171cbae20b817408ef5
-
SHA256
b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550
-
SHA512
974227f4d3e664c47c73a7c08b9e2b98849982a98dad9efddcf2187c1ec9eb62f77c58ea51553bcbae5f8cbb3ded48723fa8249393d3eba7b8f731a8bd700bb9
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1+33j5n/wrkfw:IzaEW5gMxZVXf8a3yO10pwb
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE -
Blocks application from running via registry modification 30 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe -
Disables RegEdit via registry modification 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe -
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe SERVICES.EXE -
Executes dropped EXE 24 IoCs
pid Process 2652 nEwb0Rn.exe 2428 WishfulThinking.exe 1996 WINLOGON.EXE 1088 nEwb0Rn.exe 1928 WishfulThinking.exe 1020 WINLOGON.EXE 2144 nEwb0Rn.exe 2060 SERVICES.EXE 2832 WishfulThinking.exe 2092 nEwb0Rn.exe 2244 nEwb0Rn.exe 1584 SERVICES.EXE 2496 WishfulThinking.exe 2312 WINLOGON.EXE 2556 WishfulThinking.exe 2616 WINLOGON.EXE 2612 SERVICES.EXE 2968 SERVICES.EXE 2924 WINLOGON.EXE 2444 nEwb0Rn.exe 2480 SERVICES.EXE 928 WishfulThinking.exe 528 WINLOGON.EXE 580 SERVICES.EXE -
Loads dropped DLL 34 IoCs
pid Process 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2652 nEwb0Rn.exe 2652 nEwb0Rn.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2652 nEwb0Rn.exe 2652 nEwb0Rn.exe 2428 WishfulThinking.exe 2428 WishfulThinking.exe 1996 WINLOGON.EXE 1996 WINLOGON.EXE 2428 WishfulThinking.exe 2428 WishfulThinking.exe 2652 nEwb0Rn.exe 2652 nEwb0Rn.exe 2428 WishfulThinking.exe 2428 WishfulThinking.exe 1996 WINLOGON.EXE 1996 WINLOGON.EXE 1996 WINLOGON.EXE 2060 SERVICES.EXE 2060 SERVICES.EXE 2060 SERVICES.EXE 2060 SERVICES.EXE 2060 SERVICES.EXE -
Modifies system executable filetype association 2 TTPs 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE -
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" SERVICES.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created C:\desktop.ini b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened for modification F:\desktop.ini b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created F:\desktop.ini b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\S: WishfulThinking.exe File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\J: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\K: WishfulThinking.exe File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\G: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\Q: nEwb0Rn.exe File opened (read-only) \??\R: nEwb0Rn.exe File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\E: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\U: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\L: WINLOGON.EXE File opened (read-only) \??\O: nEwb0Rn.exe File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\M: WishfulThinking.exe File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\L: nEwb0Rn.exe File opened (read-only) \??\N: nEwb0Rn.exe File opened (read-only) \??\S: nEwb0Rn.exe File opened (read-only) \??\X: WishfulThinking.exe File opened (read-only) \??\E: SERVICES.EXE File opened (read-only) \??\H: SERVICES.EXE File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\R: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\V: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\M: nEwb0Rn.exe File opened (read-only) \??\E: WishfulThinking.exe File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\S: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\Y: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\K: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\E: nEwb0Rn.exe File opened (read-only) \??\Q: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\I: nEwb0Rn.exe File opened (read-only) \??\P: WishfulThinking.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\H: WishfulThinking.exe File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\H: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\H: nEwb0Rn.exe File opened (read-only) \??\K: nEwb0Rn.exe File opened (read-only) \??\U: nEwb0Rn.exe File opened (read-only) \??\Q: WINLOGON.EXE File opened (read-only) \??\P: b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened (read-only) \??\G: nEwb0Rn.exe File opened (read-only) \??\T: nEwb0Rn.exe File opened (read-only) \??\Y: WINLOGON.EXE -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File created C:\Windows\SysWOW64\DamageControl.scr b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created C:\Windows\SysWOW64\WishfulThinking.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE File created C:\Windows\SysWOW64\JawsOfLife.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\nEwb0Rn.exe b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s1159 = "Inanimate" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s1159 = "Inanimate" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\AutoEndTasks = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s2359 = "Animate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s2359 = "Animate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s2359 = "Animate" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\s1159 = "Inanimate" SERVICES.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" SERVICES.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2652 nEwb0Rn.exe 1996 WINLOGON.EXE 2428 WishfulThinking.exe 2060 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 2652 nEwb0Rn.exe 2428 WishfulThinking.exe 1996 WINLOGON.EXE 1088 nEwb0Rn.exe 1928 WishfulThinking.exe 1020 WINLOGON.EXE 2144 nEwb0Rn.exe 2060 SERVICES.EXE 2832 WishfulThinking.exe 2092 nEwb0Rn.exe 1584 SERVICES.EXE 2244 nEwb0Rn.exe 2312 WINLOGON.EXE 2496 WishfulThinking.exe 2556 WishfulThinking.exe 2616 WINLOGON.EXE 2612 SERVICES.EXE 2968 SERVICES.EXE 2924 WINLOGON.EXE 2444 nEwb0Rn.exe 2480 SERVICES.EXE 928 WishfulThinking.exe 528 WINLOGON.EXE 580 SERVICES.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2652 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 28 PID 2164 wrote to memory of 2652 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 28 PID 2164 wrote to memory of 2652 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 28 PID 2164 wrote to memory of 2652 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 28 PID 2164 wrote to memory of 2428 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 29 PID 2164 wrote to memory of 2428 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 29 PID 2164 wrote to memory of 2428 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 29 PID 2164 wrote to memory of 2428 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 29 PID 2164 wrote to memory of 1996 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 30 PID 2164 wrote to memory of 1996 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 30 PID 2164 wrote to memory of 1996 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 30 PID 2164 wrote to memory of 1996 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 30 PID 2164 wrote to memory of 1088 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 31 PID 2164 wrote to memory of 1088 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 31 PID 2164 wrote to memory of 1088 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 31 PID 2164 wrote to memory of 1088 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 31 PID 2164 wrote to memory of 1928 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 32 PID 2164 wrote to memory of 1928 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 32 PID 2164 wrote to memory of 1928 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 32 PID 2164 wrote to memory of 1928 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 32 PID 2164 wrote to memory of 1020 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 33 PID 2164 wrote to memory of 1020 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 33 PID 2164 wrote to memory of 1020 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 33 PID 2164 wrote to memory of 1020 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 33 PID 2652 wrote to memory of 2144 2652 nEwb0Rn.exe 34 PID 2652 wrote to memory of 2144 2652 nEwb0Rn.exe 34 PID 2652 wrote to memory of 2144 2652 nEwb0Rn.exe 34 PID 2652 wrote to memory of 2144 2652 nEwb0Rn.exe 34 PID 2164 wrote to memory of 2060 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 35 PID 2164 wrote to memory of 2060 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 35 PID 2164 wrote to memory of 2060 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 35 PID 2164 wrote to memory of 2060 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 35 PID 2652 wrote to memory of 2832 2652 nEwb0Rn.exe 36 PID 2652 wrote to memory of 2832 2652 nEwb0Rn.exe 36 PID 2652 wrote to memory of 2832 2652 nEwb0Rn.exe 36 PID 2652 wrote to memory of 2832 2652 nEwb0Rn.exe 36 PID 2428 wrote to memory of 2092 2428 WishfulThinking.exe 37 PID 2428 wrote to memory of 2092 2428 WishfulThinking.exe 37 PID 2428 wrote to memory of 2092 2428 WishfulThinking.exe 37 PID 2428 wrote to memory of 2092 2428 WishfulThinking.exe 37 PID 1996 wrote to memory of 2244 1996 WINLOGON.EXE 38 PID 1996 wrote to memory of 2244 1996 WINLOGON.EXE 38 PID 1996 wrote to memory of 2244 1996 WINLOGON.EXE 38 PID 1996 wrote to memory of 2244 1996 WINLOGON.EXE 38 PID 2164 wrote to memory of 1584 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 39 PID 2164 wrote to memory of 1584 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 39 PID 2164 wrote to memory of 1584 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 39 PID 2164 wrote to memory of 1584 2164 b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe 39 PID 2652 wrote to memory of 2312 2652 nEwb0Rn.exe 40 PID 2652 wrote to memory of 2312 2652 nEwb0Rn.exe 40 PID 2652 wrote to memory of 2312 2652 nEwb0Rn.exe 40 PID 2652 wrote to memory of 2312 2652 nEwb0Rn.exe 40 PID 2428 wrote to memory of 2496 2428 WishfulThinking.exe 41 PID 2428 wrote to memory of 2496 2428 WishfulThinking.exe 41 PID 2428 wrote to memory of 2496 2428 WishfulThinking.exe 41 PID 2428 wrote to memory of 2496 2428 WishfulThinking.exe 41 PID 1996 wrote to memory of 2556 1996 WINLOGON.EXE 42 PID 1996 wrote to memory of 2556 1996 WINLOGON.EXE 42 PID 1996 wrote to memory of 2556 1996 WINLOGON.EXE 42 PID 1996 wrote to memory of 2556 1996 WINLOGON.EXE 42 PID 2428 wrote to memory of 2616 2428 WishfulThinking.exe 43 PID 2428 wrote to memory of 2616 2428 WishfulThinking.exe 43 PID 2428 wrote to memory of 2616 2428 WishfulThinking.exe 43 PID 2428 wrote to memory of 2616 2428 WishfulThinking.exe 43 -
System policy modification 1 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe"C:\Users\Admin\AppData\Local\Temp\b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2060 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:928
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
10Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5dd9956fa47936e7adc19cbe9df0ddc7f
SHA122bada3de3e6b718aaaa2f22800ad11e008cd1a7
SHA256a61ac4223f25eaa4aacc93c91ea79c90cfd40d81d722f2351b9297f7e0e06862
SHA512cf9f6b34ac959dda770dcbf686cd65dc7361a646f663785bfe0206b193acfdda0b4f0897727b6ead6cf547c222380541f2178fa0e1d8bd77659bc8c620601f09
-
Filesize
52KB
MD58e8f5c57ab9001d5cb1d05d13a0104af
SHA16fbc8074928446b94259bf7152cb70a2b92a66fa
SHA2563dc0f4b680af893588dd2eaef6930fb6554e2d256892d151f9969fc59c53db05
SHA512c23aca6e63ea4fe7c2e16374f23a77e050a4d07d41dd622132f81bf0697ab43815e9439ef2e2be160b5b5cb1463ada631f13c9d5f448e83b3be72e23ce020706
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
52KB
MD5947ab3ddde9763329f46b30c3e84321a
SHA1852ec64e99858a34d7ee744b7a67ea3d70be3794
SHA25672fe98f183a1b309aff446a2288c787ae592584b14afc5e5b9159b1399bbb302
SHA512c5189dc3f253947e6fb3702ea13b836448c19b3a050e4c153e4ebec60bcb068a1e9e6720f0310965e1e36b5ba4666effebf2a060c9aecec20f7a017034094540
-
Filesize
52KB
MD5d5a12969c9c21b0eda19b157eee676d9
SHA13bcb610ea66d2922ea2e0171cbae20b817408ef5
SHA256b3b8202580f0b47bf4d6dad051caa8bf07738d2601e4f512a26636826ecfb550
SHA512974227f4d3e664c47c73a7c08b9e2b98849982a98dad9efddcf2187c1ec9eb62f77c58ea51553bcbae5f8cbb3ded48723fa8249393d3eba7b8f731a8bd700bb9
-
Filesize
52KB
MD52507adee4d70f7ec2441645d04d66b09
SHA1ec123fea03823a16a5baa5b3943e4321cfa3a3f5
SHA256dc3aca6b77f848b1bbbcab472abccbf1b07732d28c02ac54b78a538b10092347
SHA51245b63d2e37bbc39a3581fbc42b3024282af39430a467ab181c67f5e6fc8f4f213e6cda98015ef728b52d3317f229d27d4553bf4df5b9d8e4cd96618958d06c78
-
Filesize
52KB
MD5d51a11ae98418b40172d94a76498dc90
SHA13af02f97c842662e818e497898a2143edf4a9685
SHA2564c767936b8948ef7c573d75b671e215a983a94b88302bcde78767f6b2f85a65d
SHA51251de72e521631448324530d017e05509216717c04200b39c99a0bb8f75a3d8f89b8442692f27c2ce048bef5ef2961e4adaafbbb61e31ee1a782db7ad56946b80
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
52KB
MD5ec575ca116023c50cd18eec0bb929328
SHA14e729b0723d4fb6167474b7e02cdc3d9547c8d82
SHA2561d9c5dc12f3caceb7c94e572469c28785a45fc043768bfa57d6a2adafa4b3ed5
SHA51281558a0fa8f29085b2ce7eb9ce2d46a757ca45dc1dd791eef1ba04ca1d121ecc3e45ea1677477c4fa12a3db709494f794e4032d2fc014192b3dd1f8bd170b337
-
Filesize
52KB
MD52af957fddc2dc512bec06021d237ceb1
SHA12d7ea767d3444297cfcff9f694983cb19cd991f3
SHA256257f5e27312385d2f6cb0a26074d28598a20d95951235d0f5479381aad5b40a7
SHA5124950560213f6b5ddb94e62b1a901d224e38c1a19a64599659c4852897dfabb942cd64d8adc8327744849fd0c728282bb760bca5bdc087d29b9ea960c8d8ddf31
-
Filesize
52KB
MD562b69e2e8c9e2889fa5821632e9fc126
SHA18bfee69b50c6ffeef4236d8974afc84de782e845
SHA256d88bfe649c8e77e3d41c57a2eb7611896c6cd136661412ce11082d3059f08297
SHA512fb31a42809d3509cd28ead4828a745712f561f717e42329b8a4cc491f50929f53583581dbf8712a952414ce73d44367e0dbba3d20b04cb7416f5b6954ef028d3