Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 20:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
-
Size
52KB
-
MD5
e51e107f9ee3de6202449d7ff315dcac
-
SHA1
40eec8327696857e7f28a3e22346a76e00306a10
-
SHA256
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
-
SHA512
8e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wpkfw:IzaEW5gMxZVXf8a3yO1opwF
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE -
Blocks application from running via registry modification 30 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe -
Disables RegEdit via registry modification 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe SERVICES.EXE -
Executes dropped EXE 20 IoCs
pid Process 3012 nEwb0Rn.exe 2740 WishfulThinking.exe 2744 WINLOGON.EXE 2592 SERVICES.EXE 2928 nEwb0Rn.exe 1312 WishfulThinking.exe 2872 nEwb0Rn.exe 1648 WishfulThinking.exe 2268 WINLOGON.EXE 1524 nEwb0Rn.exe 1680 WishfulThinking.exe 1364 WINLOGON.EXE 1532 SERVICES.EXE 2660 nEwb0Rn.exe 2336 WINLOGON.EXE 880 SERVICES.EXE 2000 WishfulThinking.exe 2168 SERVICES.EXE 2824 WINLOGON.EXE 2620 SERVICES.EXE -
Loads dropped DLL 28 IoCs
pid Process 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 3012 nEwb0Rn.exe 3012 nEwb0Rn.exe 2740 WishfulThinking.exe 2740 WishfulThinking.exe 3012 nEwb0Rn.exe 3012 nEwb0Rn.exe 2744 WINLOGON.EXE 2744 WINLOGON.EXE 2740 WishfulThinking.exe 2740 WishfulThinking.exe 3012 nEwb0Rn.exe 3012 nEwb0Rn.exe 2744 WINLOGON.EXE 2744 WINLOGON.EXE 2744 WINLOGON.EXE 2592 SERVICES.EXE 2592 SERVICES.EXE 2740 WishfulThinking.exe 2740 WishfulThinking.exe 2592 SERVICES.EXE 2592 SERVICES.EXE 2592 SERVICES.EXE -
Modifies system executable filetype association 2 TTPs 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE -
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE -
Drops desktop.ini file(s) 6 IoCs
description ioc Process File opened for modification C:\desktop.ini nEwb0Rn.exe File created C:\desktop.ini nEwb0Rn.exe File opened for modification F:\desktop.ini nEwb0Rn.exe File created F:\desktop.ini nEwb0Rn.exe File opened for modification F:\desktop.ini WINLOGON.EXE File created F:\desktop.ini WINLOGON.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\N: nEwb0Rn.exe File opened (read-only) \??\V: nEwb0Rn.exe File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\T: WishfulThinking.exe File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\Q: WishfulThinking.exe File opened (read-only) \??\Y: WishfulThinking.exe File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\N: WishfulThinking.exe File opened (read-only) \??\U: nEwb0Rn.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\S: WishfulThinking.exe File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\L: nEwb0Rn.exe File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\J: WishfulThinking.exe File opened (read-only) \??\L: WishfulThinking.exe File opened (read-only) \??\P: WishfulThinking.exe File opened (read-only) \??\Y: nEwb0Rn.exe File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\G: nEwb0Rn.exe File opened (read-only) \??\T: nEwb0Rn.exe File opened (read-only) \??\Z: nEwb0Rn.exe File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\I: nEwb0Rn.exe File opened (read-only) \??\G: WishfulThinking.exe File opened (read-only) \??\H: WishfulThinking.exe File opened (read-only) \??\X: WishfulThinking.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\B: nEwb0Rn.exe File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\B: WishfulThinking.exe File opened (read-only) \??\E: WishfulThinking.exe File opened (read-only) \??\K: WishfulThinking.exe File opened (read-only) \??\M: WishfulThinking.exe File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\M: nEwb0Rn.exe File opened (read-only) \??\W: nEwb0Rn.exe File opened (read-only) \??\X: nEwb0Rn.exe File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\P: nEwb0Rn.exe File opened (read-only) \??\Q: nEwb0Rn.exe File opened (read-only) \??\S: nEwb0Rn.exe File opened (read-only) \??\L: WINLOGON.EXE File opened (read-only) \??\U: WishfulThinking.exe File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\H: nEwb0Rn.exe File opened (read-only) \??\K: nEwb0Rn.exe File opened (read-only) \??\H: SERVICES.EXE File opened (read-only) \??\L: SERVICES.EXE -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\JawsOfLife.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File created C:\Windows\SysWOW64\DamageControl.scr 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe SERVICES.EXE File created C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe SERVICES.EXE File opened for modification C:\Windows\nEwb0Rn.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File created C:\Windows\nEwb0Rn.exe 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nEwb0Rn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WishfulThinking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE -
Modifies Control Panel 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Inanimate" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Inanimate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Animate" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Animate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Inanimate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Animate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\AutoEndTasks = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" SERVICES.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 3012 nEwb0Rn.exe 2744 WINLOGON.EXE 2740 WishfulThinking.exe 2592 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 3012 nEwb0Rn.exe 2740 WishfulThinking.exe 2744 WINLOGON.EXE 2592 SERVICES.EXE 2928 nEwb0Rn.exe 2872 nEwb0Rn.exe 1312 WishfulThinking.exe 2268 WINLOGON.EXE 1648 WishfulThinking.exe 1524 nEwb0Rn.exe 1680 WishfulThinking.exe 1364 WINLOGON.EXE 1532 SERVICES.EXE 2336 WINLOGON.EXE 2660 nEwb0Rn.exe 2000 WishfulThinking.exe 880 SERVICES.EXE 2168 SERVICES.EXE 2824 WINLOGON.EXE 2620 SERVICES.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 3012 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 30 PID 2348 wrote to memory of 3012 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 30 PID 2348 wrote to memory of 3012 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 30 PID 2348 wrote to memory of 3012 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 30 PID 2348 wrote to memory of 2740 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 31 PID 2348 wrote to memory of 2740 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 31 PID 2348 wrote to memory of 2740 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 31 PID 2348 wrote to memory of 2740 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 31 PID 2348 wrote to memory of 2744 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 32 PID 2348 wrote to memory of 2744 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 32 PID 2348 wrote to memory of 2744 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 32 PID 2348 wrote to memory of 2744 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 32 PID 2348 wrote to memory of 2592 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 33 PID 2348 wrote to memory of 2592 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 33 PID 2348 wrote to memory of 2592 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 33 PID 2348 wrote to memory of 2592 2348 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe 33 PID 3012 wrote to memory of 2928 3012 nEwb0Rn.exe 34 PID 3012 wrote to memory of 2928 3012 nEwb0Rn.exe 34 PID 3012 wrote to memory of 2928 3012 nEwb0Rn.exe 34 PID 3012 wrote to memory of 2928 3012 nEwb0Rn.exe 34 PID 3012 wrote to memory of 1312 3012 nEwb0Rn.exe 35 PID 3012 wrote to memory of 1312 3012 nEwb0Rn.exe 35 PID 3012 wrote to memory of 1312 3012 nEwb0Rn.exe 35 PID 3012 wrote to memory of 1312 3012 nEwb0Rn.exe 35 PID 2740 wrote to memory of 2872 2740 WishfulThinking.exe 36 PID 2740 wrote to memory of 2872 2740 WishfulThinking.exe 36 PID 2740 wrote to memory of 2872 2740 WishfulThinking.exe 36 PID 2740 wrote to memory of 2872 2740 WishfulThinking.exe 36 PID 2740 wrote to memory of 1648 2740 WishfulThinking.exe 37 PID 2740 wrote to memory of 1648 2740 WishfulThinking.exe 37 PID 2740 wrote to memory of 1648 2740 WishfulThinking.exe 37 PID 2740 wrote to memory of 1648 2740 WishfulThinking.exe 37 PID 3012 wrote to memory of 2268 3012 nEwb0Rn.exe 38 PID 3012 wrote to memory of 2268 3012 nEwb0Rn.exe 38 PID 3012 wrote to memory of 2268 3012 nEwb0Rn.exe 38 PID 3012 wrote to memory of 2268 3012 nEwb0Rn.exe 38 PID 2744 wrote to memory of 1524 2744 WINLOGON.EXE 39 PID 2744 wrote to memory of 1524 2744 WINLOGON.EXE 39 PID 2744 wrote to memory of 1524 2744 WINLOGON.EXE 39 PID 2744 wrote to memory of 1524 2744 WINLOGON.EXE 39 PID 2744 wrote to memory of 1680 2744 WINLOGON.EXE 40 PID 2744 wrote to memory of 1680 2744 WINLOGON.EXE 40 PID 2744 wrote to memory of 1680 2744 WINLOGON.EXE 40 PID 2744 wrote to memory of 1680 2744 WINLOGON.EXE 40 PID 2740 wrote to memory of 1364 2740 WishfulThinking.exe 41 PID 2740 wrote to memory of 1364 2740 WishfulThinking.exe 41 PID 2740 wrote to memory of 1364 2740 WishfulThinking.exe 41 PID 2740 wrote to memory of 1364 2740 WishfulThinking.exe 41 PID 3012 wrote to memory of 1532 3012 nEwb0Rn.exe 42 PID 3012 wrote to memory of 1532 3012 nEwb0Rn.exe 42 PID 3012 wrote to memory of 1532 3012 nEwb0Rn.exe 42 PID 3012 wrote to memory of 1532 3012 nEwb0Rn.exe 42 PID 2592 wrote to memory of 2660 2592 SERVICES.EXE 43 PID 2592 wrote to memory of 2660 2592 SERVICES.EXE 43 PID 2592 wrote to memory of 2660 2592 SERVICES.EXE 43 PID 2592 wrote to memory of 2660 2592 SERVICES.EXE 43 PID 2744 wrote to memory of 2336 2744 WINLOGON.EXE 44 PID 2744 wrote to memory of 2336 2744 WINLOGON.EXE 44 PID 2744 wrote to memory of 2336 2744 WINLOGON.EXE 44 PID 2744 wrote to memory of 2336 2744 WINLOGON.EXE 44 PID 2744 wrote to memory of 880 2744 WINLOGON.EXE 45 PID 2744 wrote to memory of 880 2744 WINLOGON.EXE 45 PID 2744 wrote to memory of 880 2744 WINLOGON.EXE 45 PID 2744 wrote to memory of 880 2744 WINLOGON.EXE 45 -
System policy modification 1 TTPs 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" 0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" SERVICES.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2872
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2744 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:880
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ab7a195766b96742dab7090f8ba26ca9
SHA192ee910a44b2bf8979bf5a5a76c75cbe72cd267b
SHA256e4eafdad06ea0516bc6b95127270fd416fc4ba2a45a4ecf1477ef13549bb9ce4
SHA51276d04f356002523fae8225101a31c7aaf2a85ea30cb39f110b00de323f0ee5ef444d85d0ef369566a220ea695f40c07781243c213e1c96b2659d3a56d8aaa32c
-
Filesize
52KB
MD5f186d31ecf98e4facf37651babb12604
SHA1781c65b7baabfe1e1e01c38407eed5b38fc65f69
SHA2563dd1b47dd95350a891906a22913dcfd6dd2dcf1c1a297b6b5321c1d66eed9c2c
SHA5121342130479d147743b863c6500b6277eb53d70072cb69ee73b1d88502d4dfd8f960ffb2924bf23d243ead7ec27f2de8d1b4d55b5226ce96a7f7cad75aa277065
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
52KB
MD537fc1ad05be52d30764b03363bc2a441
SHA1c2b8b3a7bfc51f9ffc830b3955c4886c5a29b994
SHA2569abe2773d897cb981ca16549d2ed44848b68854499f5135a5356308d942b2628
SHA512249f7d3603d3db9a5086b2ef6688f0c7554940dcf49e637e9526a14d3ffbeacd1e8f787d86f8a7ae4707a393f6bb0367efe4a3bdb8d99fb52232af2db8b1e39a
-
Filesize
52KB
MD5e51e107f9ee3de6202449d7ff315dcac
SHA140eec8327696857e7f28a3e22346a76e00306a10
SHA2560ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
SHA5128e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
Filesize
52KB
MD50903b356970833cb3ed934927a067feb
SHA1105437ee42ce0ebffb138525a9621b1a16292e6b
SHA2565ae0f7ce9e924ec18ffd23265b269802d70405f8cced50ec9e2d6e2d34551be4
SHA51265cd06afc9d8f1e281638bc6d737da86f1b0c34d5919f6ecf8a317790d79be063a6a741abfa4ec6d96a7b7acf9b10ce497b8e091911e1a8c1ca0d041af47fc12
-
Filesize
52KB
MD5fa02385d6788592c78a0cee422513652
SHA19ee784cd351872147ce19d464b4bf9880fc0803a
SHA25643148aa4fd4f1d3f066dfdf90261b9728c6dbdff9a828fcc812346205d192c46
SHA512a2df500687a31d3f76d33f3f043171abc9b44303198aa85907d0326286d85fd8387ba948c1ee2359daaf3eaf245181d4301323cef16a50b5ce21886d2a10db3e
-
Filesize
52KB
MD589c9cf3f99b06133465bb6a4717b437a
SHA173c4ce8e1ae0d27ea3c30e84f327368c6ba0995a
SHA256584dd160eaac5e80939018e4860cdfb42251af95e827ff82d60677403b8e8c31
SHA512cd89c12d03bec94b80f58628f1868b1115dbe1e8a64d475cdc3d43f9b59b555ad45f8b0e82e753cc4687f6e21872b2534a4a743d88ff1d49b3c875aa096f8fbe
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
52KB
MD5d3ab5a736dfc354c54760a95f5865fb7
SHA152be5f7dae3ea2a070d123cf8ef2831230f92379
SHA256b7f2d15268d5dd0c7dc790bfdcca9d5dd16937912d17d114a8b014769e189915
SHA5124b66939d21c4c82f6b6e236ce24afb7a4335273f5eaea62d2057445b1e54a674d8717d94f1df0b325aee88ab74e8752f684ceac1840409f49acb1bfa93545aab
-
Filesize
52KB
MD5fec41575687d9dfef803ba0ab1d99351
SHA162041a1e7836144d6603b2dbce13e851a043a26f
SHA256267a23cf8c1fb9b7a016c0b98271183c421af91e1185f3c45e06553495421092
SHA51285c3e01fb59072a965fa8ec6995b52788a97a0731e79681e56694f100be82de965bea3541984df737c7665fb3bf90f5a909431f5d3954caada07ea05bf815950
-
Filesize
52KB
MD550b42869259ee6731268b1eac22dc09e
SHA16b16e9e40eb84726a56ef248256b381cd9f10f56
SHA25669e4b110d2d55ead9852963f99edd252207af960f52ff944e2fecd173d527bb5
SHA5127182941264e6f9d7ef4f67380c9e92a727c5383ad8551ce9bee1cce90905ddb3b6ca6c16931940f9d2b371256a4a2eb50ddc00bcf209fb9fa4d91433ff50c9a5
-
Filesize
52KB
MD53eabb590994568471ba6562826fc8b51
SHA19a1ca50238c4ac7dc84ae89c77e96e084f7a5ef0
SHA256ab0bb9182e569b5f1d798662e62fb61f8c5eb774778374b263bae76cf03dc32d
SHA51285d80901388ef9c5222147881da90423268e3a0c1e9aa469f5439ccec1456d2652288e02e214d9a0ae714a364013130d5188cc6db569748fd594560b3925da4b
-
Filesize
52KB
MD5be95d3407b4dcb93da5e09565133d9f0
SHA1ef95e04a3877263816e60868e4e8cb6cf823a25b
SHA256cfd1dc93880715ee3865fd8e60788c60c3fa33601dbca86526ea6290bc2b1193
SHA512940294b5415da239872647f698fb73337e66035d5a02b1575d3ea9da38b2d8e0e0c4bd6d3aecb09bb9926c00db8444c982e6b458f48ec66ebeba43f48ee21a0f