Analysis Overview
SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
Threat Level: Known bad
The file WinXP.Horror.Destructive (Created By WobbyChip).exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Unsigned PE
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 08:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 08:22
Reported
2024-05-26 08:29
Platform
win11-20240508-en
Max time kernel
325s
Max time network
273s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Disables Task Manager via registry modification
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Mouse | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe
"C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
Network
Files
memory/1772-0-0x0000000003FD0000-0x0000000003FD1000-memory.dmp
memory/1772-1-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-2-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-3-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-4-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-5-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-6-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-9-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-10-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-11-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-12-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-13-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-14-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-15-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-16-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-17-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-18-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-19-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-20-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-21-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-22-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-23-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-24-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-25-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-27-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-28-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-31-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-32-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-33-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1772-34-0x0000000000400000-0x0000000003DF3000-memory.dmp