Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 20:08
General
-
Target
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe
-
Size
52KB
-
MD5
e51e107f9ee3de6202449d7ff315dcac
-
SHA1
40eec8327696857e7f28a3e22346a76e00306a10
-
SHA256
0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
-
SHA512
8e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/wpkfw:IzaEW5gMxZVXf8a3yO1opwF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 25 IoCs
-
Blocks application from running via registry modification 30 IoCs
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification 10 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies system executable filetype association 2 TTPs 62 IoCs
-
Windows security modification 2 TTPs 30 IoCs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 32 IoCs
-
Drops file in Windows directory 20 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 45 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
System policy modification 1 TTPs 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"C:\Users\Admin\AppData\Local\Temp\0ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD50a7a2a3b3e5cef101119314e8ffe3b7a
SHA1df11d0ead7f075067a7644a6ce8790948c88b388
SHA25650aab227a6090c2d1e71147524dc25e99ffb7d8e24691320c181ca0e9f5f58da
SHA512d039b4d48b0619daa112292ad183c18b73b2277e15abe6686266398bc09d1fd8ac0a5786294e49e0ea2a22568e4e57f1400d3d640a706613bae696e30ff7387c
-
Filesize
52KB
MD5c757b2987fa89718fbd2663e27f1182c
SHA139b10d1a9f96237fcc955d4129bc003c72f3ed3a
SHA256dd0f16ce93b37f90acb7399a40d7f37f9d7835395cc911ccc23f42c6ecf43b58
SHA512f20a66f164222c87ff6a97bd347b0e8a3e1f1a28675a3d98f7d87021a986d88ad80944479ecd0df6419e7e859a5797241068f02cc42fa2f026a50932468260fd
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
52KB
MD50b328474becb3f66c9be1d8707b789e6
SHA18305a9f5adbe3eb3203f7920d3f962a080331409
SHA256aad77613e3473f48ca7f56b43baf85b20aff7e3145ac9cdbbd00a3880e9c2815
SHA512ec398d9a8db4c5b890ccc49f2a1b3f4891872d62f649b18665863fd25361112e39363fc85d1fbee6813ea046e9536ddc9af44ab052cbec71659470a8c6388644
-
Filesize
52KB
MD56e5a3363cc8051fbdf77935f65ee0196
SHA1d7cf8630b31191599a8d2c31295e5b571f53b123
SHA256430bbbc34751cba41111ba6de1cd5106a2b5eb8fe02b1b1302c6bd611642213b
SHA512f124e38dc1fff482b588c6776e3666af2a79dd8a1a74a74c267f68fbc5bee7f558fb4f3a7da3aacc66158e044d8b66a3938dc839ca15b2e80f2a521105a01c04
-
Filesize
52KB
MD5e51e107f9ee3de6202449d7ff315dcac
SHA140eec8327696857e7f28a3e22346a76e00306a10
SHA2560ee33866076c29d41e0e4c3fac9e2641bac31d82247723adbe8c271a5b5a32db
SHA5128e493bc5c338b1be8b92c243f3172e8a9b9a48df46fc8517bca7c2ce3485fbe148bafaeb51e9a00fec4647c980ebdf1952e879b6a5d6cd9a5eabe30c04de4d10
-
Filesize
52KB
MD57e5417ce92ef430a137146ac628db351
SHA171364feb9b0fbc281d9a362f0af3dd80f9b2985c
SHA256d43f87533b57da9bc95eab040c33627bb2162bff30c3d91f019160087ebf9705
SHA512afbd3cd5d5fac088c280b2c887d62946e90a8134f890fc310a34d3c88346a28b570bf15ba91ed27660c40512ab82056581cfdd539f9f23663119cca4de0e85a9
-
Filesize
52KB
MD5feda3ba15567bc3203a8c99da3f60504
SHA17ec922d647e20232bbe1c4200433e32c41b35e0d
SHA2566792c2f951c94931cbfc76ddc2886256afdd1fc76f9144519f9363e39d44123c
SHA512ea256b4667d949d04a89f400c3a97b8cd101939a9ac16fc4e763f07c33bb2eb9c0a5893f23de8891f1c11303350d85fb151bb453979d23e141cbee5c9289d252
-
Filesize
52KB
MD56496a367b2e604ea34fcdb3972cb166b
SHA121c39a0dfd6db44179c90e7f520c4576dcfea757
SHA2568b2c69db3f345b04ec935d4849c0ab3c6de5f37cd279a77d6013551f26528afd
SHA51201aede0d1c0dcdc0689a592a09c506a943d902918383189ebc1ab24e4018ed082ddcab4594734de47f05604bfcf7a3ebf457a443717b0bc914974b5f2c8cf2bd
-
Filesize
52KB
MD5dd5984a393f606a5081301cd88476d16
SHA1e787c5d3c61342b6f57632cdfd39fe6e9e9cc95e
SHA25624515af58c5c0f0c9c3783cccd1366caab317317da2e11ebfe88d7f71df5e310
SHA512ad0c7cdd19914ac3e8a3db2cb760cb74225e9526044002d15eda6cc48c9dcf020c623631fdec9b16ccc7f76bc6fcab3686981ab0aef17f4d9cd95a7616480a5f
-
Filesize
52KB
MD5d8c820afb5956cae1652f5e85e5c5618
SHA155aef28a99a093588fa2fde769c583c7af676e57
SHA256dec6e2b6dd0003a2a0187fef25d3a9f45a9568194a81748d257d2c7fff61ef78
SHA512394cfcc9e0fecc83e65ed29b6edd13157580d71098cdcbead0aa228490067044fd5295b4d86a85a926e1349b8573f979c7705f30af1c1e50eac58e9af0e6d585
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
52KB
MD545c400f48a3929ae087f76306c53c0a1
SHA12f4654564dd8624ee2c3350b473cd9b37060d880
SHA2565c20d7aedbfa18b2e8326270822e1fad6163230d6003c60be1fe7797d0d31aa2
SHA512befff708f76eb23da842e9aa0f56602a665552d8d2e37ed6656ff05df01fdd04fa8d3c53878b080bb46a4890b0c02edd5371ec0d2783306daa7e537eac6cba7b
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB