d0cc93336bb5a4413a5a2bd737b5408cd66e244610de54dbdca2780b60c8d054

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c73d3fbfe5f6a95f18eda74b664390N.exe
Size

52KB
MD5

e2c73d3fbfe5f6a95f18eda74b664390
SHA1

aaba4452ad2a783be8385e857749a8aa4eb01b55
SHA256

d0cc93336bb5a4413a5a2bd737b5408cd66e244610de54dbdca2780b60c8d054
SHA512

e3395c59d0d6b8f619fd0611a6d1c3738eb066a528d53b23eb5b54159596a2b03f2cb8b89bb0e2ff44de51c9d0b23ebf11ce0c9e4ba833d0522a97eb03134cc6
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wWkfw:IzaEW5gMxZVXf8a3yO1opwE

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe

Executes dropped EXE 20 IoCs

pid	Process
1344	nEwb0Rn.exe
1688	WishfulThinking.exe
744	WINLOGON.EXE
4872	SERVICES.EXE
4788	nEwb0Rn.exe
2340	WishfulThinking.exe
880	nEwb0Rn.exe
2736	WishfulThinking.exe
1644	WINLOGON.EXE
1456	SERVICES.EXE
3772	WINLOGON.EXE
1748	nEwb0Rn.exe
4044	SERVICES.EXE
3804	WishfulThinking.exe
1096	WINLOGON.EXE
4444	nEwb0Rn.exe
3216	SERVICES.EXE
4876	WishfulThinking.exe
1936	WINLOGON.EXE
224	SERVICES.EXE

Loads dropped DLL 4 IoCs

pid	Process
4788	nEwb0Rn.exe
880	nEwb0Rn.exe
1748	nEwb0Rn.exe
4444	nEwb0Rn.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WINLOGON.EXE

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	WINLOGON.EXE
File created	F:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	WishfulThinking.exe
File created	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	WishfulThinking.exe
File created	F:\desktop.ini	WishfulThinking.exe
File created	C:\desktop.ini	WishfulThinking.exe
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	nEwb0Rn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\R:	WishfulThinking.exe
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\N:	nEwb0Rn.exe
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\Q:	WishfulThinking.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\I:	WishfulThinking.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\V:	WishfulThinking.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\M:	nEwb0Rn.exe
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	WishfulThinking.exe
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\O:	WishfulThinking.exe
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\T:	WishfulThinking.exe
File opened (read-only)	\??\Z:	WishfulThinking.exe
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\J:	nEwb0Rn.exe
File opened (read-only)	\??\K:	nEwb0Rn.exe
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\B:	WishfulThinking.exe
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\W:	WishfulThinking.exe
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\X:	WishfulThinking.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File created	C:\Windows\SysWOW64\DamageControl.scr	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File created	C:\Windows\nEwb0Rn.exe	e2c73d3fbfe5f6a95f18eda74b664390N.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	e2c73d3fbfe5f6a95f18eda74b664390N.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe
4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1344	nEwb0Rn.exe
744	WINLOGON.EXE
1688	WishfulThinking.exe
4872	SERVICES.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe
1344	nEwb0Rn.exe
1688	WishfulThinking.exe
744	WINLOGON.EXE
4872	SERVICES.EXE
4788	nEwb0Rn.exe
880	nEwb0Rn.exe
2736	WishfulThinking.exe
1644	WINLOGON.EXE
2340	WishfulThinking.exe
3772	WINLOGON.EXE
1748	nEwb0Rn.exe
1456	SERVICES.EXE
4044	SERVICES.EXE
3804	WishfulThinking.exe
1096	WINLOGON.EXE
4444	nEwb0Rn.exe
3216	SERVICES.EXE
4876	WishfulThinking.exe
1936	WINLOGON.EXE
224	SERVICES.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 1344	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	85
PID 4532 wrote to memory of 1344	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	85
PID 4532 wrote to memory of 1344	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	85
PID 4532 wrote to memory of 1688	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	86
PID 4532 wrote to memory of 1688	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	86
PID 4532 wrote to memory of 1688	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	86
PID 4532 wrote to memory of 744	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	87
PID 4532 wrote to memory of 744	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	87
PID 4532 wrote to memory of 744	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	87
PID 4532 wrote to memory of 4872	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	88
PID 4532 wrote to memory of 4872	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	88
PID 4532 wrote to memory of 4872	4532	e2c73d3fbfe5f6a95f18eda74b664390N.exe	88
PID 1344 wrote to memory of 4788	1344	nEwb0Rn.exe	90
PID 1344 wrote to memory of 4788	1344	nEwb0Rn.exe	90
PID 1344 wrote to memory of 4788	1344	nEwb0Rn.exe	90
PID 1344 wrote to memory of 2340	1344	nEwb0Rn.exe	91
PID 1344 wrote to memory of 2340	1344	nEwb0Rn.exe	91
PID 1344 wrote to memory of 2340	1344	nEwb0Rn.exe	91
PID 1688 wrote to memory of 880	1688	WishfulThinking.exe	92
PID 1688 wrote to memory of 880	1688	WishfulThinking.exe	92
PID 1688 wrote to memory of 880	1688	WishfulThinking.exe	92
PID 1688 wrote to memory of 2736	1688	WishfulThinking.exe	93
PID 1688 wrote to memory of 2736	1688	WishfulThinking.exe	93
PID 1688 wrote to memory of 2736	1688	WishfulThinking.exe	93
PID 1688 wrote to memory of 1644	1688	WishfulThinking.exe	94
PID 1688 wrote to memory of 1644	1688	WishfulThinking.exe	94
PID 1688 wrote to memory of 1644	1688	WishfulThinking.exe	94
PID 1688 wrote to memory of 1456	1688	WishfulThinking.exe	95
PID 1688 wrote to memory of 1456	1688	WishfulThinking.exe	95
PID 1688 wrote to memory of 1456	1688	WishfulThinking.exe	95
PID 1344 wrote to memory of 3772	1344	nEwb0Rn.exe	96
PID 1344 wrote to memory of 3772	1344	nEwb0Rn.exe	96
PID 1344 wrote to memory of 3772	1344	nEwb0Rn.exe	96
PID 744 wrote to memory of 1748	744	WINLOGON.EXE	97
PID 744 wrote to memory of 1748	744	WINLOGON.EXE	97
PID 744 wrote to memory of 1748	744	WINLOGON.EXE	97
PID 1344 wrote to memory of 4044	1344	nEwb0Rn.exe	98
PID 1344 wrote to memory of 4044	1344	nEwb0Rn.exe	98
PID 1344 wrote to memory of 4044	1344	nEwb0Rn.exe	98
PID 744 wrote to memory of 3804	744	WINLOGON.EXE	99
PID 744 wrote to memory of 3804	744	WINLOGON.EXE	99
PID 744 wrote to memory of 3804	744	WINLOGON.EXE	99
PID 744 wrote to memory of 1096	744	WINLOGON.EXE	101
PID 744 wrote to memory of 1096	744	WINLOGON.EXE	101
PID 744 wrote to memory of 1096	744	WINLOGON.EXE	101
PID 4872 wrote to memory of 4444	4872	SERVICES.EXE	102
PID 4872 wrote to memory of 4444	4872	SERVICES.EXE	102
PID 4872 wrote to memory of 4444	4872	SERVICES.EXE	102
PID 744 wrote to memory of 3216	744	WINLOGON.EXE	103
PID 744 wrote to memory of 3216	744	WINLOGON.EXE	103
PID 744 wrote to memory of 3216	744	WINLOGON.EXE	103
PID 4872 wrote to memory of 4876	4872	SERVICES.EXE	104
PID 4872 wrote to memory of 4876	4872	SERVICES.EXE	104
PID 4872 wrote to memory of 4876	4872	SERVICES.EXE	104
PID 4872 wrote to memory of 1936	4872	SERVICES.EXE	105
PID 4872 wrote to memory of 1936	4872	SERVICES.EXE	105
PID 4872 wrote to memory of 1936	4872	SERVICES.EXE	105
PID 4872 wrote to memory of 224	4872	SERVICES.EXE	106
PID 4872 wrote to memory of 224	4872	SERVICES.EXE	106
PID 4872 wrote to memory of 224	4872	SERVICES.EXE	106

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e2c73d3fbfe5f6a95f18eda74b664390N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE

C:\Users\Admin\AppData\Local\Temp\e2c73d3fbfe5f6a95f18eda74b664390N.exe
"C:\Users\Admin\AppData\Local\Temp\e2c73d3fbfe5f6a95f18eda74b664390N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4532
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1344
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2340
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3772
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4044
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1688
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:880
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1456
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:744
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3804
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1096
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4872
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4444
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4876
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1936
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
52KB

MD5
cd0b1bf17ec23186851bc27e2fd56953

SHA1
fe6f569a697a0ce79da976407a90467782ba976f

SHA256
9fb7a3e37b87f855e6c386df0e3505566a0b609e90cf97101659cdda7e220048

SHA512
fdfe8e478bd3f43626bb8ead5eb79311a2e4aa6ba030e2e5849861341e8b62af19d8e5dc413910e6f47a4fa1e70cb910ff47cd79d25e21d87850ef30111603d8

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
63265c065e454385c36b0876923fe826

SHA1
cc91e264417d5e588543c173cda96469d85ff7a0

SHA256
f987eb02b38d7bb02b322e026369cebb238957f4b85a02a0ba1b0ef306e7df42

SHA512
1b6b2222c87b4c82490605da2596900d5fa050897e5a50eeba506d92180e86536c94fda3165aa96e661b2bec21b00bf3c6edd18b2f609abfd2072817af737cdb

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
ec8d82559cfd9b65fd9ee061bcd4b386

SHA1
509e42a4faa49d33f275450bf26017f0ca421484

SHA256
e3dff42f2799c92aa90d534b7bab41f06d53be77a3680cad20eecaa03aeb09e8

SHA512
3fa6e0206d8366d47dc57f83eeabdf7fc46bc47752fab75405914a1c429804a80fd72fb7db18e1f40ad035360a75a1f69b52c26dce9962974e9f633ac7303c6e

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
e2c73d3fbfe5f6a95f18eda74b664390

SHA1
aaba4452ad2a783be8385e857749a8aa4eb01b55

SHA256
d0cc93336bb5a4413a5a2bd737b5408cd66e244610de54dbdca2780b60c8d054

SHA512
e3395c59d0d6b8f619fd0611a6d1c3738eb066a528d53b23eb5b54159596a2b03f2cb8b89bb0e2ff44de51c9d0b23ebf11ce0c9e4ba833d0522a97eb03134cc6

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
9d52647dc552d5a6f2f82165c9e6faad

SHA1
af53c24e5112f6bf102c86be643714c051a85f3a

SHA256
b6b9e3253f2c11b6dcd02ddf5e53f5d9131ef779fcd6dec1be47ccd3ab226fa3

SHA512
3771e47ba9aad539d9cb5f9b53e4dc67ff53375deda104b65e6c25d188fe724be9593f83f38796e1fe073755b68dd157e569e368e0691cb6bdbc11239088113e

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
d1e9b73c6ec0639edd2ed3090bb1fb8c

SHA1
20247bf14f60dbf1b994d519ab1e250adf3eb3f1

SHA256
dfb31c8dc20147e9f1177df203659bb7c280a9308edf42ebbbf9dec9b5dc0659

SHA512
f19509079c9d2f8b530fce85d3d3ae76bd31ac0739e69b6edfbdb4ae72a0ed5401d11376ea4aab2fa2596c183cb8161bb08559320f0d609407d71c712fb3a4b2

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
3d1d74f53ac57d44fd9985bfb131e205

SHA1
8737e1598d1c23a83b064f62231818bc120cd0aa

SHA256
7278b357de09ae27b5b212b75e8ae3aef01af4ea88b45df8289159841963e805

SHA512
bab73260cfaf5f1fe03e511b34c4b24478dd0cc875a88f19a35267a892f637605b05fcfe530280e55cb5d832e530d16ea50ef56648df151f92b4771c4ae2a531

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
072ff2582f4bfecf3c2ce14ef86d14d3

SHA1
2c3f26ec9ed2e868eba54bfa6c251a3190f973df

SHA256
866f219d3cdd17b12570845f04c14745ad6897db926d6f2842f2ee93a767a33b

SHA512
19024b9be07051a0ccdfbd8c6cf4cf59b0501b57f439fa287551fff25dec1414e7dd67226c51d75eb8658e56286e13901dc1e6a5f0d213cb1a006797da68ff89

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\desktop.ini

Filesize
222B

MD5
b78e2c99b0e66f6f6accbebdaa4d8442

SHA1
a546aaed8820b44437538600deba9d08a4a11ddc

SHA256
59e9ccbcb65a03c7965b93c758e4562ff8ddd5500b8ec1b66811f9b62744b2ca

SHA512
82d09d87f8dffbc9c261b8d9dc9437350638197430ecee513bf1803ad18db3b939c56141e970d0d9523c93befebd1e76743b860d9dfd2072280becdf5aa2fc6e

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
081627f159cbf374878b43cd8ce6c669

SHA1
1245ad8ccc281d85a17db67f296b41e0dea93640

SHA256
ed24f1e370b10cfc5b2f8133c1a6d2164db4a0e9e298d51b597c4c8982ab650b

SHA512
0a39735c449393548929bbffbcfed7f6b41c6f7533c797c838417adac2109d48c4c8fe956391e6dbdec3b621cb77a09d2b6f97b9df0a3b61b04dbb49caa44e04

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
15460bce7373b37fbbd9351f488aebc4

SHA1
30534a9aeec6fe88cc24584c157bc41d11ab67ca

SHA256
055ddfba01c14d573f145f0e16e55e58b0aa2a6b6a653e4ab42d28f70a1f5170

SHA512
dd50dcfef0745daa412613f188faa4d13595b41cd713f7174a5ad2037419dc8bc8bfa3875053a0dce7717fb0cfc7b935488e70bee79d19b620c681bdbc2a3b5b

Download Submit
C:\nEwb0Rn\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
memory/224-396-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/744-235-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/744-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/744-400-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/880-180-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/880-188-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1096-272-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1096-314-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-220-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1344-398-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1456-253-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1644-206-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1644-213-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-229-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-81-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-399-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-248-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1936-378-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2340-215-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2340-151-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2736-211-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2736-189-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3772-239-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3804-264-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-251-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-236-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4444-331-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-100-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4788-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-246-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-95-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-401-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4876-347-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download