Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 20:02
General
-
Target
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
-
Size
52KB
-
MD5
e51e107f9ee3de6202449d7ff315dcac
-
SHA1
40eec8327696857e7f28a3e22346a76e00306a10
-
SHA256
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
-
SHA512
8e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wpkfw:IzaEW5gMxZVXf8a3yO1opwF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 25 IoCs
-
Blocks application from running via registry modification 30 IoCs
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification 10 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies system executable filetype association 2 TTPs 62 IoCs
-
Windows security modification 2 TTPs 30 IoCs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Drops desktop.ini file(s) 6 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 32 IoCs
-
Drops file in Windows directory 20 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 45 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
System policy modification 1 TTPs 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ae9f81c92753fd178d1e313d5f6f2a0f
SHA1e87ec656683e157257fbce2e0c9e42ba4401aecd
SHA2566ce2d2e13c8e38a477b2a2b811af3e07ac4556241a214fa5b874db8b5dcd17f3
SHA512490ab8df310536dd49c2667c4b3e1d07e01a01410e0ce976b4b6273b7718eef9a0ebab21aed1d45a4a8c54fa3914a05b7ccf3490cecd4affa32d4ccf69cd6217
-
Filesize
52KB
MD5b840e19b3d5a57ed7c4c6e00ae5e7b9c
SHA1093456a2a1d66cb10cb7538190902dc7f188e682
SHA2562f8a10a672da149ee1ba7156c3dd88dc45c9d0c67df46c8f8e1888b0b24205e9
SHA512406ea4484e7acc95d61e10b4e657cb4f42db79e15e3d4c987419e6d3741bf4ca203ab6893be8dbf4a53ecf137cfa48366a2207ea9fc7f19d68de87c0c75423c3
-
Filesize
52KB
MD5050f9393360cb83eb8fafefec3350f24
SHA192199d9df5c1225f970f4f24f25aa30225433185
SHA25699521d93b9478e9569548107fd84ed993c4fa6e7ffde51fc26e01dfff1af62ae
SHA5127f6a175134b1cd7f2275dc6d127b515f3d461fbd50d99427506cc5f35ab9491299c9225eb156bace850885060d2d1aacb8a25f2fdb098b8c8169f3a626783182
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
52KB
MD583f20adb655892bc8f16efd863958a4d
SHA1b5d8eb125af3b4554c6ca664bf010e334c285a4f
SHA2560fb975092c164b91b1a1a3e42f92f3a26a8ca17b38f2f8f47a13d9f0565fb57f
SHA512fac235914215a0030487a3ffc09e73f65957fa24fab7ef946d595d066ab76ba49668dcc515f292cfde1facfd74ec44715ebe3a68045cbc4d102ad7cd5fde6cd4
-
Filesize
52KB
MD5fd7bdafd892ddeb47c94f4be7026525b
SHA17be32cec08fb37c639ba5541e6d0f00207d8f237
SHA2566df97db9a08dc79fb2bf12f4b07aafe851d4d3540e84be50dc3256e78e52abe6
SHA512c5b8cd2af09aec701ef35abcdb31ac80c47b27ec9e9b2f6daf56ce2a257cb23cc6c76c1716592a5624194d8ffbd897d46ef494ccea8f61a8bd4619a5de605332
-
Filesize
52KB
MD5e51e107f9ee3de6202449d7ff315dcac
SHA140eec8327696857e7f28a3e22346a76e00306a10
SHA2560ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
SHA5128e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
Filesize
52KB
MD52626d7d6c85394e95fe8c13454ecd97f
SHA1d1c996804fc735e0ded60dfebb60a5fcab3694cf
SHA25687f404349226d9ff899499e6d304d50984e15d8266d7de18cd9c94e39172ae48
SHA512b25c97f5d1dc58010903083aa179928dde0a31fb92805d86bd89d34514fb5312ae740ad3d95b25ba1df50cc6518fb85922f710a8bcf7044651e8c0ef242e6a87
-
Filesize
52KB
MD5a4868bd1439d3a34527eaf431f2af905
SHA1ce80068a09fe0208eebc9addac060d6eeb72d06d
SHA256d2e50f4e183f2689a8deff15ff555dc9b34c99b3d21c4a97810cb14aedd62b79
SHA512d1ce3f918cd2ca95d25e7e527e0769668667ae1bd0f89552a21dc6a154d32893481d37b4f56bcea5ac22a466ff780044cf75a35b11379ecc775b783609448daf
-
Filesize
52KB
MD5aeeb174e28c2356c2398c36f27c7e33f
SHA1a84d953da0ec1aee314a12b50b499b90d13a599d
SHA2561194d81d14de1ef233da345a62ff18e5657595f187dbdf53107ffec73b5a9ffb
SHA512be01975cc12281a5f97e1887ef3d694027bc4ea05591b3ff0425f179f18f6a9ba954b9532feed020bbc76a4b458559eaf7483a0e701f731a3f9d2812c01a87a8
-
Filesize
52KB
MD54ef9a46350912bfeccbdbc329f1122a3
SHA1977daca44af77c6da17c4475be8e86eb40e59d3b
SHA256e8a378a2067726ce157477188e4b6d7a00aa9a8a9bb6e585b150b85785cd64df
SHA51287c039726527adab1da2d61fd99ee4b0a90686eb6888c9963678afee49aabd9a56f05039818524db391aafc01bc37e21467dfa57e9541e4808eb1880f3257780
-
Filesize
52KB
MD519d61267edf6ce730c6f8d0f98031d5c
SHA1d13a533246cac9218609f33b6b5de858745670c4
SHA256db37c387e5e394880a49ba69e7872370e2eae30fc67787a59d15f9719cad52e8
SHA512fed61f7703499e168938b80d2ae98e69c6fff7f5e94c9137ae29dc8e0528954d0aef7ff20ea9ad298ea8060f4cd8182725f80452a493a023837218dd57288e0c
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
52KB
MD5731b2c1845e4a5f7f9bf60f24aa9d71b
SHA15a88393096c2c3cb9e96cf2f7243158ea131ecd1
SHA256ab27cb07b491af667a79f6aa958d8205b58fe626a7cf63f57c5bdd7548efb3b6
SHA512b495cfcf8677e61cfb18e3ea0d7aabf5fe9d81f440a0334f41df8e9faa8645a5a5f80542c7439cd162e8d63da09d3d0182807cc87ef7d9ca6f662a3b9e1e5aa1
-
Filesize
52KB
MD50296fef09ec2e3adf5e94024eada731e
SHA141714807ad03b92432afc5f71a58f347ff7b98b4
SHA256a39f02dad09d0abaf335b2d5bc7658b8e9a8d0550cba45c44845b0a037c2118d
SHA512fa8c6b574d9afdf0967ed5cff393dc9e6dd53fafebfb60166cd8db155efcf3816548fb444259e4d93e8710205c41b0145dc7b3764a1be0bf45e7a703de521bc6
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB