ecca5e8ee82efdd4f4aeff70b9e3c34172f31abb275888d34e0eb871ba82dce2

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Size

52KB
MD5

269d5810ca917e2c32099142d7508cf0
SHA1

d81ca49c0deaa9f3ca01edbdf065b0a7e6fd700b
SHA256

ecca5e8ee82efdd4f4aeff70b9e3c34172f31abb275888d34e0eb871ba82dce2
SHA512

7d19b30849c4df603c193cc30051280be2610d2f72cf8efc9b1acd5baa2346056be3c20055954f68278b61ea3acc31fec8fdeb3eae45bc4c270ad66a473fa2a6
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1+33j5n/wkkfw:IzaEW5gMxZVXf8a3yO10pwe

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe

Executes dropped EXE 20 IoCs

pid	Process
2528	nEwb0Rn.exe
3068	WishfulThinking.exe
2808	WINLOGON.EXE
2892	SERVICES.EXE
2420	nEwb0Rn.exe
2520	WishfulThinking.exe
1948	nEwb0Rn.exe
2632	WishfulThinking.exe
2916	WINLOGON.EXE
3056	nEwb0Rn.exe
352	SERVICES.EXE
2964	nEwb0Rn.exe
964	WishfulThinking.exe
1988	WINLOGON.EXE
2348	WINLOGON.EXE
2676	WishfulThinking.exe
2116	SERVICES.EXE
2568	WINLOGON.EXE
2816	SERVICES.EXE
2556	SERVICES.EXE

Loads dropped DLL 28 IoCs

pid	Process
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2528	nEwb0Rn.exe
2528	nEwb0Rn.exe
2528	nEwb0Rn.exe
2528	nEwb0Rn.exe
3068	WishfulThinking.exe
3068	WishfulThinking.exe
2528	nEwb0Rn.exe
2528	nEwb0Rn.exe
2808	WINLOGON.EXE
2808	WINLOGON.EXE
2808	WINLOGON.EXE
3068	WishfulThinking.exe
3068	WishfulThinking.exe
2892	SERVICES.EXE
2892	SERVICES.EXE
3068	WishfulThinking.exe
3068	WishfulThinking.exe
2808	WINLOGON.EXE
2808	WINLOGON.EXE
2892	SERVICES.EXE
2892	SERVICES.EXE
2892	SERVICES.EXE

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	nEwb0Rn.exe
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	nEwb0Rn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\N:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\W:	WishfulThinking.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\M:	WishfulThinking.exe
File opened (read-only)	\??\N:	WishfulThinking.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\Q:	WishfulThinking.exe
File opened (read-only)	\??\U:	WishfulThinking.exe
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\X:	WishfulThinking.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\X:	nEwb0Rn.exe
File opened (read-only)	\??\K:	WishfulThinking.exe
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\Y:	WishfulThinking.exe
File opened (read-only)	\??\Z:	WishfulThinking.exe
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\H:	WishfulThinking.exe
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\K:	nEwb0Rn.exe
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\R:	WishfulThinking.exe
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\O:	WishfulThinking.exe
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\I:	nEwb0Rn.exe
File opened (read-only)	\??\M:	nEwb0Rn.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\V:	WishfulThinking.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\Z:	nEwb0Rn.exe
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\K:	WINLOGON.EXE

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\DamageControl.scr	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File created	C:\Windows\nEwb0Rn.exe	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\AutoEndTasks = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Inanimate"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Animate"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2528	nEwb0Rn.exe
2808	WINLOGON.EXE
3068	WishfulThinking.exe
2892	SERVICES.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
2528	nEwb0Rn.exe
3068	WishfulThinking.exe
2808	WINLOGON.EXE
2892	SERVICES.EXE
2420	nEwb0Rn.exe
2520	WishfulThinking.exe
1948	nEwb0Rn.exe
2916	WINLOGON.EXE
3056	nEwb0Rn.exe
352	SERVICES.EXE
2632	WishfulThinking.exe
964	WishfulThinking.exe
2964	nEwb0Rn.exe
2348	WINLOGON.EXE
1988	WINLOGON.EXE
2676	WishfulThinking.exe
2116	SERVICES.EXE
2816	SERVICES.EXE
2568	WINLOGON.EXE
2556	SERVICES.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2528	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2528	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2528	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2528	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 3068	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 3068	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 3068	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 3068	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2808	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	30
PID 2460 wrote to memory of 2808	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	30
PID 2460 wrote to memory of 2808	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	30
PID 2460 wrote to memory of 2808	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	30
PID 2460 wrote to memory of 2892	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	31
PID 2460 wrote to memory of 2892	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	31
PID 2460 wrote to memory of 2892	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	31
PID 2460 wrote to memory of 2892	2460	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe	31
PID 2528 wrote to memory of 2420	2528	nEwb0Rn.exe	32
PID 2528 wrote to memory of 2420	2528	nEwb0Rn.exe	32
PID 2528 wrote to memory of 2420	2528	nEwb0Rn.exe	32
PID 2528 wrote to memory of 2420	2528	nEwb0Rn.exe	32
PID 2528 wrote to memory of 2520	2528	nEwb0Rn.exe	33
PID 2528 wrote to memory of 2520	2528	nEwb0Rn.exe	33
PID 2528 wrote to memory of 2520	2528	nEwb0Rn.exe	33
PID 2528 wrote to memory of 2520	2528	nEwb0Rn.exe	33
PID 3068 wrote to memory of 1948	3068	WishfulThinking.exe	34
PID 3068 wrote to memory of 1948	3068	WishfulThinking.exe	34
PID 3068 wrote to memory of 1948	3068	WishfulThinking.exe	34
PID 3068 wrote to memory of 1948	3068	WishfulThinking.exe	34
PID 2528 wrote to memory of 2916	2528	nEwb0Rn.exe	35
PID 2528 wrote to memory of 2916	2528	nEwb0Rn.exe	35
PID 2528 wrote to memory of 2916	2528	nEwb0Rn.exe	35
PID 2528 wrote to memory of 2916	2528	nEwb0Rn.exe	35
PID 3068 wrote to memory of 2632	3068	WishfulThinking.exe	36
PID 3068 wrote to memory of 2632	3068	WishfulThinking.exe	36
PID 3068 wrote to memory of 2632	3068	WishfulThinking.exe	36
PID 3068 wrote to memory of 2632	3068	WishfulThinking.exe	36
PID 2808 wrote to memory of 3056	2808	WINLOGON.EXE	37
PID 2808 wrote to memory of 3056	2808	WINLOGON.EXE	37
PID 2808 wrote to memory of 3056	2808	WINLOGON.EXE	37
PID 2808 wrote to memory of 3056	2808	WINLOGON.EXE	37
PID 2528 wrote to memory of 352	2528	nEwb0Rn.exe	38
PID 2528 wrote to memory of 352	2528	nEwb0Rn.exe	38
PID 2528 wrote to memory of 352	2528	nEwb0Rn.exe	38
PID 2528 wrote to memory of 352	2528	nEwb0Rn.exe	38
PID 2892 wrote to memory of 2964	2892	SERVICES.EXE	39
PID 2892 wrote to memory of 2964	2892	SERVICES.EXE	39
PID 2892 wrote to memory of 2964	2892	SERVICES.EXE	39
PID 2892 wrote to memory of 2964	2892	SERVICES.EXE	39
PID 2808 wrote to memory of 964	2808	WINLOGON.EXE	40
PID 2808 wrote to memory of 964	2808	WINLOGON.EXE	40
PID 2808 wrote to memory of 964	2808	WINLOGON.EXE	40
PID 2808 wrote to memory of 964	2808	WINLOGON.EXE	40
PID 2808 wrote to memory of 1988	2808	WINLOGON.EXE	41
PID 2808 wrote to memory of 1988	2808	WINLOGON.EXE	41
PID 2808 wrote to memory of 1988	2808	WINLOGON.EXE	41
PID 2808 wrote to memory of 1988	2808	WINLOGON.EXE	41
PID 3068 wrote to memory of 2348	3068	WishfulThinking.exe	42
PID 3068 wrote to memory of 2348	3068	WishfulThinking.exe	42
PID 3068 wrote to memory of 2348	3068	WishfulThinking.exe	42
PID 3068 wrote to memory of 2348	3068	WishfulThinking.exe	42
PID 2892 wrote to memory of 2676	2892	SERVICES.EXE	43
PID 2892 wrote to memory of 2676	2892	SERVICES.EXE	43
PID 2892 wrote to memory of 2676	2892	SERVICES.EXE	43
PID 2892 wrote to memory of 2676	2892	SERVICES.EXE	43

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE

C:\Users\Admin\AppData\Local\Temp\269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\269d5810ca917e2c32099142d7508cf0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2528
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:352
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3068
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2116
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2808
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2892
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2568
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
264ed438557a712e251149212749b63a

SHA1
d553e1ff23b130540e725cbe9e396f4717849c00

SHA256
a5a5b5487fed93a0e936440916d3d9de50612b85b4f81f0d2805395632c3ba7d

SHA512
0b5a6c5925365799e8701f980f237ad1ab91da0a59031d4e7bc365092d47f9e6f79d620bf2e90bbd74ffbb1329e534ed81980940c60fd0c50fd492c7e29b9126

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
aa15e1144fc79122d8e33094dabf2e18

SHA1
91d8288198f3472ea3d2b346aa25f05744f8237d

SHA256
f4681029e80e3e532795e6f60ae182cfc44b4f9ed40471fdcc5816a65ae59f7c

SHA512
bd735189ff9506b44c7991bdaebbcb5a5b12e017bc20267366c826f52ca87ceec1eb39e144a0425009f74e1e8f02a86b2515f59049b05c3ce6a8fd3dc6c129b5

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
e7d8e4049b13bf3c4c3a9eb0ac87e997

SHA1
fbb9be3002659a48fa4349f360edc16247d2ddb2

SHA256
9ada53852fc52a3e14ad69b677bc43a8e4c9d7a18f9d164b601c513f2c972085

SHA512
ee320b1c6de1bfdae1c2cd0cebf1e62a340f59ecaae611327e7088cb5107365dbcba6b8bc5c244c828dec42c481b02f152a2e434be9b9b256df78f6b107da50b

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
2539c240b5596b2773f1bcb883a5cd21

SHA1
570d284256f8ddda2dff876861520e1488755c34

SHA256
ee6a381bbb57a5f9f12dd785ce232f94d990cf23a59842c5424821a478cb9040

SHA512
0d48220bf9ac6138742ffcebbb9bb7bef5548f6cca16e5df186c5f0fba5c0ad856dfa8b5c862fc407fff7bc23694a70d5e7b00bb529c8ee8378eee2b63ab7d99

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
269d5810ca917e2c32099142d7508cf0

SHA1
d81ca49c0deaa9f3ca01edbdf065b0a7e6fd700b

SHA256
ecca5e8ee82efdd4f4aeff70b9e3c34172f31abb275888d34e0eb871ba82dce2

SHA512
7d19b30849c4df603c193cc30051280be2610d2f72cf8efc9b1acd5baa2346056be3c20055954f68278b61ea3acc31fec8fdeb3eae45bc4c270ad66a473fa2a6

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
6b6ef47d59803aa360888f288c28de70

SHA1
b0cb1aa2e650b783c90af864550152866b0c045a

SHA256
866c7f21d552f43e73c3fb6e17419e4ea632faced128c65c7b78a71248dd1d85

SHA512
252a5d2fe10d69346103871df0c529beb49078dc7cf6202d5a1d0d14a43c8e27478926239e771cc3f06c73289a8b9c3ef8334d24d374dcd9b11b3e6ec877b233

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
8b7288a6559b5ce07de782aa80bd8e33

SHA1
9c51cd39feb35c2d74bbab8c8f8922f5e36f376c

SHA256
5c8acfa2db78bf724a9728d3b721026c633574d5fac464ae839cc17fa3fed101

SHA512
4132b07076659667a632e39c8e529b5c64ba9ef2262fbc26abc315165aef90008d99564c82611216a1e2b9a038a524d434f7d50b75942caa3b18c84d87f3e1e4

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
a8badac54f7f19b292727fc801a5ca63

SHA1
1ed73f77f40c9c0378e637050442c5204b91c315

SHA256
25a31c54de9d0c58fa6eba8d1752af2ef81cffe2ab76e67252aa069c721d1c11

SHA512
57d194bf64874d232533b31609945d0a36a2a98b2a964dddb515b334ecd0c5283c76f29f5100623d5eaaf9568bec3a65dde81e1d1e122f013cb0135f4ffda46a

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
205a7f62081b61f8d16f6600a52382d6

SHA1
3662569e28c4759996058a63d0a899e7a5d24ec8

SHA256
1d606b4d0f04771513938c6969911b375d99860f5ad79a5e812a577083e16c40

SHA512
33a48f8048dcb0c000ceae163ff82e24bfc860aea2b6da09fbab7d20d777d1e2a6644b0e23054cfc99f66914e92bfa26f646bf5a71a8ff89e45e5512a92068e1

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
945b2136459437d264d8628c4f794eaf

SHA1
8aa46617fba3c4c1d9957c3945414aaa5132edb3

SHA256
0e9806ab2e71b6713791a29a1927f50576bf418bfd10cbb5ef2d3e88e54073b8

SHA512
ded603d82bf9de362177a9df898db0a2807673feea7fe8c798a6757db9ba9c2e3e4b684ca8a6ad8542ccbeb1c854f9283c91b988fb5d16635bfb3c2bed64a804

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
52KB

MD5
c88e73fc50b9e90e719679872c788e73

SHA1
8c5c98e1cddceb63faaa61942b1c224728e617ac

SHA256
bfc1478468aa8deedd04996ff0e9962fa0ba723b0e56efc9fd11af2099400a9b

SHA512
db0ce1bee4b4f61d0a3f37f7c9ff6e5b4025c56e421331be37d3c9072021e47ea898568f8483f123956104b5cb2ae24e74d89348224c0cf6fa90d4d4caa4cc09

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
4e764c95b46449e7f85616956ecb2f3e

SHA1
f2d7662bef5349a4cc4df1395289839bf97fe76d

SHA256
0917c454ad4f9f012a8b41638f63f2015a3c8736f4bb03789feb71e3170c68cc

SHA512
60a0dc96ee13913f8754c556195f8a38f13b60b1a3026e6b934b7f71aa1d48d6904eedafc9da4e7054ac6828816795bc63de2378a3107bc48bdbfd2f423c57ff

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
72f5f14461d840d56aecfca93c66df64

SHA1
5c022ca6d84daeb3bacd123c0c54e5a3d5949064

SHA256
ebd6b5574e71cfa9012afeaf5653422764fb1c135e176f86c4d1017b99c6faf1

SHA512
cbc9dba02a6bae1c17ae97bc4ea5651d4db35e40aafef9110f0fb26a2ca4e730c606615a5274a990f25144219d6c30bf5f8fb309a1509b98c508f41546bde1b5

Download Submit
memory/352-254-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/352-312-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/964-293-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/964-369-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1948-205-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1948-204-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1948-201-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1988-383-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2116-379-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2116-385-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2348-376-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2348-363-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-160-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2420-158-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-154-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2460-102-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2460-103-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2460-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2460-81-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2460-84-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2460-79-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2460-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2520-198-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2520-162-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2528-202-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/2528-404-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2528-253-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/2528-224-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/2528-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2528-194-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2528-358-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/2528-359-0x0000000001EB0000-0x0000000001ED8000-memory.dmp

Filesize
160KB

Download
memory/2556-402-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-396-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2632-361-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2676-387-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-240-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-105-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-397-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-360-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-291-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-242-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-403-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-241-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2808-406-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-414-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2816-394-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2816-389-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2892-244-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2892-407-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2892-409-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2892-366-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2892-364-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2892-115-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2892-289-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2892-398-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2916-245-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-300-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2964-290-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2964-373-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3056-249-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-296-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-295-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3068-93-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-405-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-362-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/3068-222-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-408-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download
memory/3068-193-0x00000000003D0000-0x00000000003F8000-memory.dmp

Filesize
160KB

Download