Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a7d8173d9c54b048aa527453c2e6c90N.exe
Resource
win7-20240705-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
5a7d8173d9c54b048aa527453c2e6c90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
27 signatures
120 seconds
General
-
Target
5a7d8173d9c54b048aa527453c2e6c90N.exe
-
Size
52KB
-
MD5
5a7d8173d9c54b048aa527453c2e6c90
-
SHA1
83fa31a1efee3838b8f078fae28ea23cf2403708
-
SHA256
98e68a1b23af97ae9ddaf16668edb3d7fd8e0d980f23bac1b010106dd11555c6
-
SHA512
bbd9ba21ebc36a58226fac63015134e25e51c54733bbe73a2f8d4b26e0da663d06baae7b31678c2e7a7660510d3527c356a88fe6663fe8f15062090cd35ec3bc
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wukfw:IzaEW5gMxZVXf8a3yO1opwc
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" SERVICES.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe -
Blocks application from running via registry modification 30 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE -
Disables RegEdit via registry modification 10 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe -
Executes dropped EXE 20 IoCs
pid Process 2820 nEwb0Rn.exe 2880 WishfulThinking.exe 2032 WINLOGON.EXE 1800 SERVICES.EXE 1816 nEwb0Rn.exe 1764 WishfulThinking.exe 2192 nEwb0Rn.exe 3044 WINLOGON.EXE 1700 nEwb0Rn.exe 2028 nEwb0Rn.exe 1728 SERVICES.EXE 1752 WishfulThinking.exe 1496 WishfulThinking.exe 2508 WINLOGON.EXE 2520 WishfulThinking.exe 2280 SERVICES.EXE 2564 WINLOGON.EXE 2840 SERVICES.EXE 2304 WINLOGON.EXE 3064 SERVICES.EXE -
Loads dropped DLL 28 IoCs
pid Process 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 2820 nEwb0Rn.exe 2820 nEwb0Rn.exe 2820 nEwb0Rn.exe 2820 nEwb0Rn.exe 2880 WishfulThinking.exe 2880 WishfulThinking.exe 2820 nEwb0Rn.exe 2820 nEwb0Rn.exe 1800 SERVICES.EXE 1800 SERVICES.EXE 2032 WINLOGON.EXE 2880 WishfulThinking.exe 2880 WishfulThinking.exe 1800 SERVICES.EXE 1800 SERVICES.EXE 2032 WINLOGON.EXE 1800 SERVICES.EXE 2880 WishfulThinking.exe 2880 WishfulThinking.exe 2032 WINLOGON.EXE 2032 WINLOGON.EXE 2032 WINLOGON.EXE -
Modifies system executable filetype association 2 TTPs 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE -
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\desktop.ini nEwb0Rn.exe File opened for modification F:\desktop.ini nEwb0Rn.exe File opened for modification F:\desktop.ini SERVICES.EXE File created F:\desktop.ini SERVICES.EXE File created F:\desktop.ini nEwb0Rn.exe File opened for modification F:\desktop.ini WishfulThinking.exe File created F:\desktop.ini WishfulThinking.exe File opened for modification C:\desktop.ini nEwb0Rn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: nEwb0Rn.exe File opened (read-only) \??\S: WishfulThinking.exe File opened (read-only) \??\X: WishfulThinking.exe File opened (read-only) \??\B: nEwb0Rn.exe File opened (read-only) \??\I: nEwb0Rn.exe File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\B: WishfulThinking.exe File opened (read-only) \??\H: WishfulThinking.exe File opened (read-only) \??\N: WishfulThinking.exe File opened (read-only) \??\T: WishfulThinking.exe File opened (read-only) \??\W: nEwb0Rn.exe File opened (read-only) \??\Z: nEwb0Rn.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\H: nEwb0Rn.exe File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\Q: WINLOGON.EXE File opened (read-only) \??\V: nEwb0Rn.exe File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\E: WishfulThinking.exe File opened (read-only) \??\W: WishfulThinking.exe File opened (read-only) \??\Z: WishfulThinking.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\E: nEwb0Rn.exe File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\M: WishfulThinking.exe File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\G: nEwb0Rn.exe File opened (read-only) \??\T: nEwb0Rn.exe File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\Z: WINLOGON.EXE File opened (read-only) \??\K: WishfulThinking.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\P: nEwb0Rn.exe File opened (read-only) \??\Y: nEwb0Rn.exe File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\U: nEwb0Rn.exe File opened (read-only) \??\R: WishfulThinking.exe File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\J: WishfulThinking.exe File opened (read-only) \??\Y: WishfulThinking.exe File opened (read-only) \??\L: WINLOGON.EXE File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\K: nEwb0Rn.exe File opened (read-only) \??\L: nEwb0Rn.exe File opened (read-only) \??\E: SERVICES.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\O: WishfulThinking.exe File opened (read-only) \??\Q: WishfulThinking.exe File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\G: WishfulThinking.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File created C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File created C:\Windows\SysWOW64\JawsOfLife.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr 5a7d8173d9c54b048aa527453c2e6c90N.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File created C:\Windows\SysWOW64\DamageControl.scr 5a7d8173d9c54b048aa527453c2e6c90N.exe File created C:\Windows\SysWOW64\WishfulThinking.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File created C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\nEwb0Rn.exe 5a7d8173d9c54b048aa527453c2e6c90N.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a7d8173d9c54b048aa527453c2e6c90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE -
Modifies Control Panel 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s1159 = "Inanimate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s2359 = "Animate" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s2359 = "Animate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s2359 = "Animate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s1159 = "Inanimate" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\s1159 = "Inanimate" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2820 nEwb0Rn.exe 2032 WINLOGON.EXE 1800 SERVICES.EXE 2880 WishfulThinking.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 2820 nEwb0Rn.exe 2880 WishfulThinking.exe 2032 WINLOGON.EXE 1800 SERVICES.EXE 1816 nEwb0Rn.exe 1764 WishfulThinking.exe 3044 WINLOGON.EXE 2192 nEwb0Rn.exe 1728 SERVICES.EXE 1700 nEwb0Rn.exe 2028 nEwb0Rn.exe 1752 WishfulThinking.exe 1496 WishfulThinking.exe 2508 WINLOGON.EXE 2520 WishfulThinking.exe 2280 SERVICES.EXE 2564 WINLOGON.EXE 2840 SERVICES.EXE 2304 WINLOGON.EXE 3064 SERVICES.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2820 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 30 PID 3016 wrote to memory of 2820 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 30 PID 3016 wrote to memory of 2820 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 30 PID 3016 wrote to memory of 2820 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 30 PID 3016 wrote to memory of 2880 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 31 PID 3016 wrote to memory of 2880 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 31 PID 3016 wrote to memory of 2880 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 31 PID 3016 wrote to memory of 2880 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 31 PID 3016 wrote to memory of 2032 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 32 PID 3016 wrote to memory of 2032 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 32 PID 3016 wrote to memory of 2032 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 32 PID 3016 wrote to memory of 2032 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 32 PID 3016 wrote to memory of 1800 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 33 PID 3016 wrote to memory of 1800 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 33 PID 3016 wrote to memory of 1800 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 33 PID 3016 wrote to memory of 1800 3016 5a7d8173d9c54b048aa527453c2e6c90N.exe 33 PID 2820 wrote to memory of 1816 2820 nEwb0Rn.exe 34 PID 2820 wrote to memory of 1816 2820 nEwb0Rn.exe 34 PID 2820 wrote to memory of 1816 2820 nEwb0Rn.exe 34 PID 2820 wrote to memory of 1816 2820 nEwb0Rn.exe 34 PID 2820 wrote to memory of 1764 2820 nEwb0Rn.exe 35 PID 2820 wrote to memory of 1764 2820 nEwb0Rn.exe 35 PID 2820 wrote to memory of 1764 2820 nEwb0Rn.exe 35 PID 2820 wrote to memory of 1764 2820 nEwb0Rn.exe 35 PID 2880 wrote to memory of 2192 2880 WishfulThinking.exe 36 PID 2880 wrote to memory of 2192 2880 WishfulThinking.exe 36 PID 2880 wrote to memory of 2192 2880 WishfulThinking.exe 36 PID 2880 wrote to memory of 2192 2880 WishfulThinking.exe 36 PID 2820 wrote to memory of 3044 2820 nEwb0Rn.exe 37 PID 2820 wrote to memory of 3044 2820 nEwb0Rn.exe 37 PID 2820 wrote to memory of 3044 2820 nEwb0Rn.exe 37 PID 2820 wrote to memory of 3044 2820 nEwb0Rn.exe 37 PID 1800 wrote to memory of 1700 1800 SERVICES.EXE 39 PID 1800 wrote to memory of 1700 1800 SERVICES.EXE 39 PID 1800 wrote to memory of 1700 1800 SERVICES.EXE 39 PID 1800 wrote to memory of 1700 1800 SERVICES.EXE 39 PID 2032 wrote to memory of 2028 2032 WINLOGON.EXE 38 PID 2032 wrote to memory of 2028 2032 WINLOGON.EXE 38 PID 2032 wrote to memory of 2028 2032 WINLOGON.EXE 38 PID 2032 wrote to memory of 2028 2032 WINLOGON.EXE 38 PID 2880 wrote to memory of 1752 2880 WishfulThinking.exe 40 PID 2880 wrote to memory of 1752 2880 WishfulThinking.exe 40 PID 2880 wrote to memory of 1752 2880 WishfulThinking.exe 40 PID 2880 wrote to memory of 1752 2880 WishfulThinking.exe 40 PID 2820 wrote to memory of 1728 2820 nEwb0Rn.exe 41 PID 2820 wrote to memory of 1728 2820 nEwb0Rn.exe 41 PID 2820 wrote to memory of 1728 2820 nEwb0Rn.exe 41 PID 2820 wrote to memory of 1728 2820 nEwb0Rn.exe 41 PID 1800 wrote to memory of 1496 1800 SERVICES.EXE 42 PID 1800 wrote to memory of 1496 1800 SERVICES.EXE 42 PID 1800 wrote to memory of 1496 1800 SERVICES.EXE 42 PID 1800 wrote to memory of 1496 1800 SERVICES.EXE 42 PID 2880 wrote to memory of 2564 2880 WishfulThinking.exe 44 PID 2880 wrote to memory of 2564 2880 WishfulThinking.exe 44 PID 2880 wrote to memory of 2564 2880 WishfulThinking.exe 44 PID 2880 wrote to memory of 2564 2880 WishfulThinking.exe 44 PID 1800 wrote to memory of 2508 1800 SERVICES.EXE 45 PID 1800 wrote to memory of 2508 1800 SERVICES.EXE 45 PID 1800 wrote to memory of 2508 1800 SERVICES.EXE 45 PID 1800 wrote to memory of 2508 1800 SERVICES.EXE 45 PID 2032 wrote to memory of 2520 2032 WINLOGON.EXE 43 PID 2032 wrote to memory of 2520 2032 WINLOGON.EXE 43 PID 2032 wrote to memory of 2520 2032 WINLOGON.EXE 43 PID 2032 wrote to memory of 2520 2032 WINLOGON.EXE 43 -
System policy modification 1 TTPs 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5a7d8173d9c54b048aa527453c2e6c90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" 5a7d8173d9c54b048aa527453c2e6c90N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a7d8173d9c54b048aa527453c2e6c90N.exe"C:\Users\Admin\AppData\Local\Temp\5a7d8173d9c54b048aa527453c2e6c90N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1800 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ed743f1c1790ceead38675ed42afba2f
SHA14bc4f8470189e1af3d00c51df02d6c5b0309b090
SHA2560302f5a14b693309eee9ac03bd950dcdad2fda8950f8ea1c04bcea29896b328e
SHA5123bf4c322c0dc7ddb2f7f09a8eadac185287b05f6144c7cea08a009698b0e26ac1da701bc9c5e4e5227cdc703e26711fbfa67d902081e214f31a73f01bd17aa70
-
Filesize
52KB
MD5e9f897d9f71ecd48f0afc7002085592f
SHA1b0f58554396452c42bf792f523a71ffa04388cb8
SHA256ca9c6ada002872998e36f99b2dddd316cb4d92212307485a4cb04fe5317cae35
SHA5124399a13707e082666664b2594a63d63e0d454e340bffe80d31e1b180034215c1f0daee0e00f5f33030d1261cbb19c6a769447d0379ffcd0d5b7daf7e7f04c8dc
-
Filesize
52KB
MD5cefd6522fb2b0628662e668044110151
SHA19659c58974bf125c8bbd0046b4614f07ad5ee543
SHA256b962965262a1dbea53222d26fb9dc0cd23d277bfe853271b753eee4d64737244
SHA5121c5b2243450896dede99ed593ca7b2f62e79c0ebd20fbcf1e063648a8efad08c128701771690a79845c1eae4e5a5352f6446b701013b167b7da27ff5607cf18d
-
Filesize
52KB
MD5d0e8db11b2e803f348f0239c6c5dcec4
SHA1c1bb90e72fb67d0d6aaea79e0f951a06fc56f347
SHA256076b44342c95b667d58f14536c241c00912338d148188fefe018f6cfe16faaf1
SHA51271c51014e522dff114a85f85dfbceee935dd015e16d68635871c5eabb0c38d7c4c13859b33b31ac7446c95e0752f0783bff666608b09b25c4933978d6679e2eb
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
52KB
MD56f20e7a4c587e6e490a9ebddf887b02b
SHA12a40edcce9b304224939551fe2560aa9da22d048
SHA25648cdbb56bd8d5107458b07b3d730af7c341226fd8dfbf1962d9157f2bc4dc31b
SHA512557e6241680b2267635e152a4d0806d0d31ef786df4ec836abfc73b1286ac2b9aa6f5430fa756cd2b3366b4f390356deb65dee514a0f21f9e5550e19c0579ecf
-
Filesize
52KB
MD55a7d8173d9c54b048aa527453c2e6c90
SHA183fa31a1efee3838b8f078fae28ea23cf2403708
SHA25698e68a1b23af97ae9ddaf16668edb3d7fd8e0d980f23bac1b010106dd11555c6
SHA512bbd9ba21ebc36a58226fac63015134e25e51c54733bbe73a2f8d4b26e0da663d06baae7b31678c2e7a7660510d3527c356a88fe6663fe8f15062090cd35ec3bc
-
Filesize
52KB
MD587affc793bd0a97a62bcde95a0b90aa2
SHA1dfcbd95fe93f906856e7d576997720bb47a53255
SHA25626b3c033536b0c01af616c7d7c5df8865c3b2928306b314219f6f2f9ac10520f
SHA5128612be3f1354b1f9705d68448aa8b70aca8fb754db3471069b00fcc10082af5ffea180684b0ec507faeba1f0c79862f3c24cf6c0431c187113640ee4856848e9
-
Filesize
52KB
MD59671c2e8025f5ec036292543f11b12f4
SHA1e07a2b1ad69b32386cbb254932a8629d208a31f2
SHA2561d2fbf6bee672e2671fedc26295fac9436ad193255c7b9b20d9645b48ad1236d
SHA512b31a1687104d1f5ddc03e5c6d38a9ae263e099b78f11b4e136390625b73288e659154eb6cc1de6dc2080924ed3c72962a2df96ff8a3d94760438cd8841d43aa7
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
52KB
MD57b7a1fbd5df6b134488fe523d111efe7
SHA11a41e64f13638f481934beda5226cae4c18a9fde
SHA25676b60a1bcf1b7897b024919de968a2fb266a26708a4aeb7a8802bea16b14dc42
SHA512c738c181563648228cd842b2f3550f9ca8e5f11f58e048a2b82321b25bb2595d10f6d7f389f1c854399a426f41c4c93900d1d0c102eb998981ddd29ee5e6a037
-
Filesize
52KB
MD5f03e34b70a393e5a36bedd76b40bf9ab
SHA1db6cc3cd4dc7b51e17b5948015f035c76e1b12ac
SHA256373932995d85c15effca175e582f8e1b26ab2285effaa6ca159d1ea3a14ec50b
SHA51230682cbfcb144c90f88b004441147d822c12d31c3d1c516aed1ebf895eb583c8f7c2e6e5a12e21886201449585264efc1bffe628b2a0b198b7ae987a54777249