353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4

Analysis

max time kernel
119s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769b30ce75344facc1900f9ac642d760N.exe
Size

52KB
MD5

769b30ce75344facc1900f9ac642d760
SHA1

54c234564e97d7c401846fdc9b553d90f3325895
SHA256

353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4
SHA512

07f07fae6d5ced4e99770faad9c21f1704b1faa892a004361cf23dbe19b965b36fbe001a417edb137be8c036b3df294984c3d4618b85d3825352e1ffd4b02621
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/w3Dkfw:IzaEW5gMxZVXf8a3yO1opw3z

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE

Executes dropped EXE 20 IoCs

pid	Process
2104	nEwb0Rn.exe
3120	WishfulThinking.exe
3812	WINLOGON.EXE
2124	SERVICES.EXE
1876	nEwb0Rn.exe
4460	WishfulThinking.exe
1728	WINLOGON.EXE
4256	nEwb0Rn.exe
452	nEwb0Rn.exe
3448	WishfulThinking.exe
5104	WishfulThinking.exe
208	WINLOGON.EXE
4996	WINLOGON.EXE
1304	nEwb0Rn.exe
1676	SERVICES.EXE
3040	SERVICES.EXE
1004	SERVICES.EXE
2860	WishfulThinking.exe
3196	WINLOGON.EXE
3432	SERVICES.EXE

Loads dropped DLL 4 IoCs

pid	Process
1876	nEwb0Rn.exe
4256	nEwb0Rn.exe
452	nEwb0Rn.exe
1304	nEwb0Rn.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	F:\desktop.ini	WINLOGON.EXE
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	WishfulThinking.exe
File created	F:\desktop.ini	WishfulThinking.exe
File created	F:\desktop.ini	SERVICES.EXE
File created	F:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	WishfulThinking.exe
File opened for modification	F:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	WishfulThinking.exe
File created	C:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	SERVICES.EXE
File opened for modification	C:\desktop.ini	WINLOGON.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\L:	nEwb0Rn.exe
File opened (read-only)	\??\B:	WishfulThinking.exe
File opened (read-only)	\??\V:	WishfulThinking.exe
File opened (read-only)	\??\Z:	nEwb0Rn.exe
File opened (read-only)	\??\U:	WishfulThinking.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\M:	nEwb0Rn.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\X:	WishfulThinking.exe
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\R:	WishfulThinking.exe
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\I:	WishfulThinking.exe
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\E:	WishfulThinking.exe
File opened (read-only)	\??\Z:	WishfulThinking.exe
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	nEwb0Rn.exe
File opened (read-only)	\??\N:	WishfulThinking.exe
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\H:	WishfulThinking.exe
File opened (read-only)	\??\W:	WishfulThinking.exe
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\O:	WishfulThinking.exe
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\I:	nEwb0Rn.exe
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DamageControl.scr	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	769b30ce75344facc1900f9ac642d760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s1159 = "Inanimate"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s2359 = "Animate"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\AutoEndTasks = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\	WINLOGON.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	769b30ce75344facc1900f9ac642d760N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	769b30ce75344facc1900f9ac642d760N.exe
2900	769b30ce75344facc1900f9ac642d760N.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2104	nEwb0Rn.exe
3812	WINLOGON.EXE
2124	SERVICES.EXE
3120	WishfulThinking.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2900	769b30ce75344facc1900f9ac642d760N.exe
2104	nEwb0Rn.exe
3120	WishfulThinking.exe
3812	WINLOGON.EXE
2124	SERVICES.EXE
1876	nEwb0Rn.exe
4460	WishfulThinking.exe
4256	nEwb0Rn.exe
452	nEwb0Rn.exe
3448	WishfulThinking.exe
5104	WishfulThinking.exe
208	WINLOGON.EXE
1728	WINLOGON.EXE
4996	WINLOGON.EXE
1676	SERVICES.EXE
1304	nEwb0Rn.exe
3040	SERVICES.EXE
1004	SERVICES.EXE
2860	WishfulThinking.exe
3196	WINLOGON.EXE
3432	SERVICES.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2104	2900	769b30ce75344facc1900f9ac642d760N.exe	84
PID 2900 wrote to memory of 2104	2900	769b30ce75344facc1900f9ac642d760N.exe	84
PID 2900 wrote to memory of 2104	2900	769b30ce75344facc1900f9ac642d760N.exe	84
PID 2900 wrote to memory of 3120	2900	769b30ce75344facc1900f9ac642d760N.exe	85
PID 2900 wrote to memory of 3120	2900	769b30ce75344facc1900f9ac642d760N.exe	85
PID 2900 wrote to memory of 3120	2900	769b30ce75344facc1900f9ac642d760N.exe	85
PID 2900 wrote to memory of 3812	2900	769b30ce75344facc1900f9ac642d760N.exe	86
PID 2900 wrote to memory of 3812	2900	769b30ce75344facc1900f9ac642d760N.exe	86
PID 2900 wrote to memory of 3812	2900	769b30ce75344facc1900f9ac642d760N.exe	86
PID 2900 wrote to memory of 2124	2900	769b30ce75344facc1900f9ac642d760N.exe	87
PID 2900 wrote to memory of 2124	2900	769b30ce75344facc1900f9ac642d760N.exe	87
PID 2900 wrote to memory of 2124	2900	769b30ce75344facc1900f9ac642d760N.exe	87
PID 2104 wrote to memory of 1876	2104	nEwb0Rn.exe	91
PID 2104 wrote to memory of 1876	2104	nEwb0Rn.exe	91
PID 2104 wrote to memory of 1876	2104	nEwb0Rn.exe	91
PID 2104 wrote to memory of 4460	2104	nEwb0Rn.exe	92
PID 2104 wrote to memory of 4460	2104	nEwb0Rn.exe	92
PID 2104 wrote to memory of 4460	2104	nEwb0Rn.exe	92
PID 2104 wrote to memory of 1728	2104	nEwb0Rn.exe	93
PID 2104 wrote to memory of 1728	2104	nEwb0Rn.exe	93
PID 2104 wrote to memory of 1728	2104	nEwb0Rn.exe	93
PID 3812 wrote to memory of 4256	3812	WINLOGON.EXE	94
PID 3812 wrote to memory of 4256	3812	WINLOGON.EXE	94
PID 3812 wrote to memory of 4256	3812	WINLOGON.EXE	94
PID 3120 wrote to memory of 452	3120	WishfulThinking.exe	95
PID 3120 wrote to memory of 452	3120	WishfulThinking.exe	95
PID 3120 wrote to memory of 452	3120	WishfulThinking.exe	95
PID 3812 wrote to memory of 3448	3812	WINLOGON.EXE	96
PID 3812 wrote to memory of 3448	3812	WINLOGON.EXE	96
PID 3812 wrote to memory of 3448	3812	WINLOGON.EXE	96
PID 3120 wrote to memory of 5104	3120	WishfulThinking.exe	97
PID 3120 wrote to memory of 5104	3120	WishfulThinking.exe	97
PID 3120 wrote to memory of 5104	3120	WishfulThinking.exe	97
PID 3812 wrote to memory of 208	3812	WINLOGON.EXE	98
PID 3812 wrote to memory of 208	3812	WINLOGON.EXE	98
PID 3812 wrote to memory of 208	3812	WINLOGON.EXE	98
PID 3120 wrote to memory of 4996	3120	WishfulThinking.exe	99
PID 3120 wrote to memory of 4996	3120	WishfulThinking.exe	99
PID 3120 wrote to memory of 4996	3120	WishfulThinking.exe	99
PID 3812 wrote to memory of 1676	3812	WINLOGON.EXE	100
PID 3812 wrote to memory of 1676	3812	WINLOGON.EXE	100
PID 2124 wrote to memory of 1304	2124	SERVICES.EXE	101
PID 3812 wrote to memory of 1676	3812	WINLOGON.EXE	100
PID 2124 wrote to memory of 1304	2124	SERVICES.EXE	101
PID 2124 wrote to memory of 1304	2124	SERVICES.EXE	101
PID 2104 wrote to memory of 3040	2104	nEwb0Rn.exe	102
PID 2104 wrote to memory of 3040	2104	nEwb0Rn.exe	102
PID 2104 wrote to memory of 3040	2104	nEwb0Rn.exe	102
PID 3120 wrote to memory of 1004	3120	WishfulThinking.exe	103
PID 3120 wrote to memory of 1004	3120	WishfulThinking.exe	103
PID 3120 wrote to memory of 1004	3120	WishfulThinking.exe	103
PID 2124 wrote to memory of 2860	2124	SERVICES.EXE	104
PID 2124 wrote to memory of 2860	2124	SERVICES.EXE	104
PID 2124 wrote to memory of 2860	2124	SERVICES.EXE	104
PID 2124 wrote to memory of 3196	2124	SERVICES.EXE	105
PID 2124 wrote to memory of 3196	2124	SERVICES.EXE	105
PID 2124 wrote to memory of 3196	2124	SERVICES.EXE	105
PID 2124 wrote to memory of 3432	2124	SERVICES.EXE	106
PID 2124 wrote to memory of 3432	2124	SERVICES.EXE	106
PID 2124 wrote to memory of 3432	2124	SERVICES.EXE	106

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe

C:\Users\Admin\AppData\Local\Temp\769b30ce75344facc1900f9ac642d760N.exe
"C:\Users\Admin\AppData\Local\Temp\769b30ce75344facc1900f9ac642d760N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2900
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2104
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4460
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1728
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3040
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3120
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:452
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5104
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4996
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1004
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3812
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4256
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:208
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1676
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2124
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3196
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
52KB

MD5
b0c53243d0389cf5d5c364f167bbee6e

SHA1
f6969bab6c395232d85245fd23816077500ef969

SHA256
0be7ccfa6a892166881f59eccc931443a13895060f36cea28185aa1b8920a44e

SHA512
976bb21f02a931b40dd95f5ea223273ea0c332fbb771df16dfceeeb642b780cc9c56ed0518d05e0a32f8077108ba1852daaea257e9a1fd89f239da507f3f8d1f

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
33a0aa9124203d056049dae1309fbf72

SHA1
f91f3a1bb7068ea2ab25bef37a1ea3ae19ee4014

SHA256
f7f112cd65b379aae7675f929d0636bcdf35702ecc4b5d51b644e055e334f2ef

SHA512
7abaf2712a3bbafa5c0140e2841614bc512c6c709ac1cbae116b13e8b9c4582e2d4f5abd2b1f185d8a079cf5d1f0840c632b51631dc465aefd7f28b73bf169fa

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
afd4bcd6f11218d25dd0771887f86c0e

SHA1
dd8e0cf07f6cd7103823512862275d1a9a1ff3a9

SHA256
d944c26838c9bdd51500ee5e7bef17672a45d21f442f1f0be352f9c756289221

SHA512
232137dac193bb81ba396eee7ac030cd9ca33954ca832a7059d9aaf4e2cd82364974b58dd26ad115ba74f969b6d3831cf7da40f30b9d5dbe29d1ec2ad2e29ac3

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
74d222409bb7a53aae7d2dde5231e72a

SHA1
75dbbad0de8ac183c02ff0652082b88511576341

SHA256
afdbc36ec04712d5278dd948cf72f7a3a424f8325adcfd8d0691b89d3d3b712d

SHA512
ec2e4a39a65aadad84c08c78ea3edfa19abc912823ec4772a6b33ce8f436c0d2da5225428f2daf4bffd1335d24ffbd400428eed92056c2a97aebc2cfb9239259

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
769b30ce75344facc1900f9ac642d760

SHA1
54c234564e97d7c401846fdc9b553d90f3325895

SHA256
353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4

SHA512
07f07fae6d5ced4e99770faad9c21f1704b1faa892a004361cf23dbe19b965b36fbe001a417edb137be8c036b3df294984c3d4618b85d3825352e1ffd4b02621

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
d85e154f4a8804f1c8fa524666713d31

SHA1
bac103b8b48c4be83e6a23f64e680ea730529341

SHA256
02c6968002f8677404d5e12cfd0b32a75caaaf28af7466b7803fd03f38b5900c

SHA512
a679b3dc3f7cbc5506739a6367c1df71a254cf57da2570c4255ffc5ad29e1b341ff748977e9367818abd219e582af75541dcf4771310b9ae136fa51d6421163e

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
859d0dba977c4472619eaad4903fe8ba

SHA1
a60c7c0ffa0214e22b3fb1361ab8a186f630c9dc

SHA256
336d52f0d0c481f88940c37cfe8c9a4704592b0251546eafa27929717ddd2bb2

SHA512
32eb4d16871043484a6ac049f397769116a0f37c1729dd267a97b8107760da2fb5ac73245a3334b7d8ca266a7e6056f4bfc8920f668244c3a392e25a996eb796

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
e83b00289c5caad83d919f315ae1f2a0

SHA1
e8816a2c2392c013c3ed047dab658a58bd66cbdb

SHA256
06c2f45f2a333e9b4413a9909525a6337f850c2494e01140e5e619176ecb84e7

SHA512
244cc9bb64c63947f00bf9c0ac20023a774006f815e3e7bda886d73c889e7454b1ad2050494063e6e9ed794e5d4e927fff42e318a9a4df1cd0bcf94662dd6e51

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
7ea72e06dc78b33aa7b5bfb094268860

SHA1
86f4dc72004dc8e1ff5dca95d7d49fbc356fdfab

SHA256
f1720a6b32f705ca171afbf5b816ccbb1a4289a92d34ac18f902640ed7b4600e

SHA512
2b1d9b72d017d94c97a553dce94a04519f045d9962ba5bf0159d821a0402d51c0853968a8353a2f961f1f334a3f18d206c279ea038a285c79e93df3d9d2a4086

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
747b1fd92b913a9e7afe109747af26ec

SHA1
6276e7c69f5dd3003a2817badb19e39a24b593fb

SHA256
a12a429670c1911a45c734a8341d518ba008e25aedf5754c5eb05a4e590c056e

SHA512
dbb9aee755cc05facf8fc6ec3104448a4794f4d7060f4a5a956da3667caa9710bd09c4fa2407ad293434ee0b80a60a653f6692c691846df232aedbfb9d95fa86

Download Submit
memory/208-253-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/452-231-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1004-288-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1304-290-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1676-280-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1676-259-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1728-160-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1728-262-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-149-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-131-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-232-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-426-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2104-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-429-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-95-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-258-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2860-315-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2900-100-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2900-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3040-287-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3120-81-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3120-252-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3120-427-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-342-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3432-346-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3432-372-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3448-234-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3448-222-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3812-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3812-428-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3812-255-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4256-224-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4256-216-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-148-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4460-155-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4996-264-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5104-238-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download