Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
DO NOT ENTER THIS EXE.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
DO NOT ENTER THIS EXE.exe
-
Size
11.0MB
-
MD5
5ebb0732d02ca96039d4d3afbe28ea62
-
SHA1
a196cb3873a1e5d407b04495a29c41a6d0107c39
-
SHA256
d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1
-
SHA512
27286714261cf4a56855cec838f19a10ca102569b0d7ee729a7c42a4cc42587583cd14a638e75f0eb4b3253c3b9bda4ef691cf42a52d29ca0f2b485db1d997e6
-
SSDEEP
196608:qPQS04D+i4DZmLclKez/LkqIgjYX8NslsYCNiZITX+IC:EBwULcrz/dIZ6slxDIC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" DO NOT ENTER THIS EXE.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" DO NOT ENTER THIS EXE.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" DO NOT ENTER THIS EXE.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation DO NOT ENTER THIS EXE.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\w0alp.tmp" DO NOT ENTER THIS EXE.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\bsector3.exe DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur DO NOT ENTER THIS EXE.exe File created C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\tobi0a0c.exe DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\ui66.exe DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\winsxs.ico DO NOT ENTER THIS EXE.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV DO NOT ENTER THIS EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" DO NOT ENTER THIS EXE.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon DO NOT ENTER THIS EXE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" DO NOT ENTER THIS EXE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1144 shutdown.exe Token: SeRemoteShutdownPrivilege 1144 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2840 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1144 4660 DO NOT ENTER THIS EXE.exe 88 PID 4660 wrote to memory of 1144 4660 DO NOT ENTER THIS EXE.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" DO NOT ENTER THIS EXE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4660 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 002⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5fe3ff5c960ffe350ceef5e7ddb47a90c
SHA14df64c51d1412ba8607d8f361f09808f9a9a58a9
SHA256612124638e466d5fee56aec02345d8af0908abc4482a22de96a5ad4acc2a4f01
SHA512b9f9ebc52d54a8e4eda6c190edf6be753c340ebd765ac7b15d7d0778aac82bddf1b3c0f25e7c866f826ef39248074c9cce90c448054d531c414037d6b3afa84e