c46b7fe7ca962ffc011e0f356dc0c5e80d4727d3a2057c33bbb443e67f7e4420

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Size

52KB
MD5

2b1c6494c471b0ad336e3d9ce8c934f0
SHA1

80d42b6a617cebfe2c0668b482b87f8742485f9f
SHA256

c46b7fe7ca962ffc011e0f356dc0c5e80d4727d3a2057c33bbb443e67f7e4420
SHA512

21996e570ee4160cb370a6e9a6829f52c3c650b3f47359df1eef1e258edabcded91f120561e7a74c37c550ff085f19ee6cb05cc818732733f3fe744dc30c0ed6
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wFkfw:IzaEW5gMxZVXf8a3yO1opwB

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE

Executes dropped EXE 20 IoCs

pid	Process
3144	nEwb0Rn.exe
4228	WishfulThinking.exe
3148	WINLOGON.EXE
3468	SERVICES.EXE
3696	nEwb0Rn.exe
1056	nEwb0Rn.exe
2164	WishfulThinking.exe
2368	WishfulThinking.exe
4148	nEwb0Rn.exe
4856	nEwb0Rn.exe
4592	WishfulThinking.exe
3636	WishfulThinking.exe
2948	WINLOGON.EXE
4840	WINLOGON.EXE
1964	SERVICES.EXE
4768	WINLOGON.EXE
3224	WINLOGON.EXE
376	SERVICES.EXE
4588	SERVICES.EXE
2112	SERVICES.EXE

Loads dropped DLL 4 IoCs

pid	Process
3696	nEwb0Rn.exe
1056	nEwb0Rn.exe
4148	nEwb0Rn.exe
4856	nEwb0Rn.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	C:\desktop.ini	SERVICES.EXE
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	WINLOGON.EXE
File opened for modification	F:\desktop.ini	WishfulThinking.exe
File created	F:\desktop.ini	WishfulThinking.exe
File opened for modification	C:\desktop.ini	WishfulThinking.exe
File created	C:\desktop.ini	SERVICES.EXE
File opened for modification	F:\desktop.ini	SERVICES.EXE
File created	F:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	SERVICES.EXE
File opened for modification	F:\desktop.ini	WINLOGON.EXE
File created	C:\desktop.ini	WishfulThinking.exe
File created	C:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	WINLOGON.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	WishfulThinking.exe
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\N:	nEwb0Rn.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\G:	WishfulThinking.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\Q:	WishfulThinking.exe
File opened (read-only)	\??\K:	nEwb0Rn.exe
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\N:	WishfulThinking.exe
File opened (read-only)	\??\V:	WishfulThinking.exe
File opened (read-only)	\??\Y:	WishfulThinking.exe
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\T:	WishfulThinking.exe
File opened (read-only)	\??\U:	WishfulThinking.exe
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\E:	WishfulThinking.exe
File opened (read-only)	\??\M:	WishfulThinking.exe
File opened (read-only)	\??\I:	nEwb0Rn.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\I:	WishfulThinking.exe
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\R:	WishfulThinking.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\X:	nEwb0Rn.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\JawsOfLife.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\DamageControl.scr	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\nEwb0Rn.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\s2359 = "Animate"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3148	WINLOGON.EXE
3144	nEwb0Rn.exe
3468	SERVICES.EXE
4228	WishfulThinking.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
3144	nEwb0Rn.exe
4228	WishfulThinking.exe
3148	WINLOGON.EXE
3468	SERVICES.EXE
3696	nEwb0Rn.exe
1056	nEwb0Rn.exe
2368	WishfulThinking.exe
4148	nEwb0Rn.exe
4856	nEwb0Rn.exe
2164	WishfulThinking.exe
2948	WINLOGON.EXE
3636	WishfulThinking.exe
4592	WishfulThinking.exe
4840	WINLOGON.EXE
1964	SERVICES.EXE
4768	WINLOGON.EXE
3224	WINLOGON.EXE
376	SERVICES.EXE
4588	SERVICES.EXE
2112	SERVICES.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3144	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	84
PID 1468 wrote to memory of 3144	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	84
PID 1468 wrote to memory of 3144	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	84
PID 1468 wrote to memory of 4228	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	85
PID 1468 wrote to memory of 4228	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	85
PID 1468 wrote to memory of 4228	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	85
PID 1468 wrote to memory of 3148	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	87
PID 1468 wrote to memory of 3148	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	87
PID 1468 wrote to memory of 3148	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	87
PID 1468 wrote to memory of 3468	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	88
PID 1468 wrote to memory of 3468	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	88
PID 1468 wrote to memory of 3468	1468	2b1c6494c471b0ad336e3d9ce8c934f0N.exe	88
PID 3144 wrote to memory of 3696	3144	nEwb0Rn.exe	90
PID 3144 wrote to memory of 3696	3144	nEwb0Rn.exe	90
PID 3144 wrote to memory of 3696	3144	nEwb0Rn.exe	90
PID 4228 wrote to memory of 1056	4228	WishfulThinking.exe	92
PID 4228 wrote to memory of 1056	4228	WishfulThinking.exe	92
PID 4228 wrote to memory of 1056	4228	WishfulThinking.exe	92
PID 3144 wrote to memory of 2164	3144	nEwb0Rn.exe	91
PID 3144 wrote to memory of 2164	3144	nEwb0Rn.exe	91
PID 3144 wrote to memory of 2164	3144	nEwb0Rn.exe	91
PID 4228 wrote to memory of 2368	4228	WishfulThinking.exe	93
PID 4228 wrote to memory of 2368	4228	WishfulThinking.exe	93
PID 4228 wrote to memory of 2368	4228	WishfulThinking.exe	93
PID 3148 wrote to memory of 4148	3148	WINLOGON.EXE	94
PID 3148 wrote to memory of 4148	3148	WINLOGON.EXE	94
PID 3148 wrote to memory of 4148	3148	WINLOGON.EXE	94
PID 3468 wrote to memory of 4856	3468	SERVICES.EXE	95
PID 3468 wrote to memory of 4856	3468	SERVICES.EXE	95
PID 3468 wrote to memory of 4856	3468	SERVICES.EXE	95
PID 3148 wrote to memory of 4592	3148	WINLOGON.EXE	97
PID 3148 wrote to memory of 4592	3148	WINLOGON.EXE	97
PID 3148 wrote to memory of 4592	3148	WINLOGON.EXE	97
PID 3468 wrote to memory of 3636	3468	SERVICES.EXE	99
PID 3468 wrote to memory of 3636	3468	SERVICES.EXE	99
PID 3468 wrote to memory of 3636	3468	SERVICES.EXE	99
PID 4228 wrote to memory of 2948	4228	WishfulThinking.exe	98
PID 4228 wrote to memory of 2948	4228	WishfulThinking.exe	98
PID 4228 wrote to memory of 2948	4228	WishfulThinking.exe	98
PID 3144 wrote to memory of 4840	3144	nEwb0Rn.exe	100
PID 3144 wrote to memory of 4840	3144	nEwb0Rn.exe	100
PID 3144 wrote to memory of 4840	3144	nEwb0Rn.exe	100
PID 4228 wrote to memory of 1964	4228	WishfulThinking.exe	101
PID 4228 wrote to memory of 1964	4228	WishfulThinking.exe	101
PID 4228 wrote to memory of 1964	4228	WishfulThinking.exe	101
PID 3148 wrote to memory of 4768	3148	WINLOGON.EXE	102
PID 3148 wrote to memory of 4768	3148	WINLOGON.EXE	102
PID 3148 wrote to memory of 4768	3148	WINLOGON.EXE	102
PID 3468 wrote to memory of 3224	3468	SERVICES.EXE	103
PID 3468 wrote to memory of 3224	3468	SERVICES.EXE	103
PID 3468 wrote to memory of 3224	3468	SERVICES.EXE	103
PID 3144 wrote to memory of 376	3144	nEwb0Rn.exe	104
PID 3144 wrote to memory of 376	3144	nEwb0Rn.exe	104
PID 3144 wrote to memory of 376	3144	nEwb0Rn.exe	104
PID 3148 wrote to memory of 4588	3148	WINLOGON.EXE	105
PID 3148 wrote to memory of 4588	3148	WINLOGON.EXE	105
PID 3148 wrote to memory of 4588	3148	WINLOGON.EXE	105
PID 3468 wrote to memory of 2112	3468	SERVICES.EXE	106
PID 3468 wrote to memory of 2112	3468	SERVICES.EXE	106
PID 3468 wrote to memory of 2112	3468	SERVICES.EXE	106

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	2b1c6494c471b0ad336e3d9ce8c934f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe

C:\Users\Admin\AppData\Local\Temp\2b1c6494c471b0ad336e3d9ce8c934f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b1c6494c471b0ad336e3d9ce8c934f0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3144
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3696
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2164
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:376
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4228
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2948
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1964
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3148
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4148
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4592
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4768
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4588
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3468
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4856
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
850060fdf106929d2edf9ee7b1f8fa40

SHA1
6ec2d63b11980469a1c29cdba25853a92e7b7ec9

SHA256
dbec3764db6babb91391f7b9c18af3c2531fefdbbe337330294a3bb1b8a0a398

SHA512
d46ce95f30cf8a7263a9751845d17c92245d9f1bbaea5e5e7055c371335227139863f9c6c4bbfb12f0aaf956cd73e0946725623f86f23f864be3fa8fc1da6f73

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
ebec5b00aa2484e61cbdd7c4be3ac955

SHA1
97eddd49699f05cba47e61f4fff0bd87e5273f06

SHA256
308d0a5ce9a4c844bbf5bf29ffe762e6ff2796590bdffdd7839ded4c7cacac55

SHA512
94d7cac181eaf69a1d6407a04b3e753460a9a3f5d999079a9fa9147392927ce22ed35c7c044799b8fddc087a675a61e795f53c0226da15b34eca7610e8de129c

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
19068d60686359d65de62c5f167ff9e3

SHA1
5b73098de164c37b1b5017585bfbd426a2d72e45

SHA256
5f842b30c0a028463c0b86977c82d9f0ea0dc9198786e1eb89f81f57c66b5ab6

SHA512
47cbe953ee8fb900fba12619583ea98b8bf5fe0f814563c259751c06351b9e5476daf2b60b57b406262e973515f5132bc930602bb3460f63c66d00eb5441fa64

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
2b1c6494c471b0ad336e3d9ce8c934f0

SHA1
80d42b6a617cebfe2c0668b482b87f8742485f9f

SHA256
c46b7fe7ca962ffc011e0f356dc0c5e80d4727d3a2057c33bbb443e67f7e4420

SHA512
21996e570ee4160cb370a6e9a6829f52c3c650b3f47359df1eef1e258edabcded91f120561e7a74c37c550ff085f19ee6cb05cc818732733f3fe744dc30c0ed6

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
7bde935e17f6f613e54906db721af635

SHA1
7b1ce30f9766b05fe401e6a023d296b15edece39

SHA256
778c3165a176efa01eea8045dadc6b6968889918f322b5fd647165e977b49b36

SHA512
7e34ae42ee27180bcc41acfb6822635d86041e996b8305b0058b2dc4694c2654d29351d2ed01222202118fb46d49cc17b9a89850093fa3ed3a27637b70cf80e6

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
367c4a003e5e5d7fdf38d41fe7cb1c43

SHA1
14695e4b6c1d0dfa665b2e33c1b26935a7570747

SHA256
64d30ac58cb78c4f8411576c2bb4a1406d27a6b2b6fa9020b4de944ce4675012

SHA512
e6f7249d8ddf44f4496faa64710e99f6a0808ffd7b0adc26b30980965908eb4d35bb4d42a18258779a7ba17376901a1e383a21cb05124e3169c9c2ee662132f8

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
7872710af387f4155da23d1504b92842

SHA1
0fd43329f7cd96e087731b9dc39908bd93fa0c9a

SHA256
d45767f77f29f15d2856c4c43505bee518b8253f087b6e05ab137b48ae13fed5

SHA512
00a4b213c95c6edced27646167d60411c91bf025d4d399b75fd1be778d6c991c042fe227266287800582650cc855d98ffcaaa34306d0ec0addbfcfd58f1f2406

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\desktop.ini

Filesize
222B

MD5
b78e2c99b0e66f6f6accbebdaa4d8442

SHA1
a546aaed8820b44437538600deba9d08a4a11ddc

SHA256
59e9ccbcb65a03c7965b93c758e4562ff8ddd5500b8ec1b66811f9b62744b2ca

SHA512
82d09d87f8dffbc9c261b8d9dc9437350638197430ecee513bf1803ad18db3b939c56141e970d0d9523c93befebd1e76743b860d9dfd2072280becdf5aa2fc6e

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
577fdc00bffffd5df137989f12d1a621

SHA1
907bffbbf29369af261028f5d4346d9fbd3c51d3

SHA256
e9aa54367a75b21f04267efb8de1c6e8218551bcdc4374fcdb8794debb7df0fc

SHA512
0d4555c5793b7f06b1e69de659d67c0109f702a0bdd99f1381914b5f5b1e276aae828513a89820ae75c51b04fa2021e04e81ebffc03b474d5868b49bbce560d9

Download Submit
C:\nEwb0Rn\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
memory/376-311-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1056-186-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1056-166-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1468-99-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1468-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1964-269-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1964-286-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2164-252-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2368-187-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2368-247-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2948-272-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3144-244-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3144-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3144-453-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3148-257-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3148-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3148-455-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3224-314-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3468-456-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3468-263-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3636-256-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3636-279-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3696-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3696-130-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4148-249-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4148-203-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4228-255-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4228-81-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4228-454-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4588-316-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4592-275-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4768-288-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4768-282-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4840-277-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-250-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download