Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 01:22

Errors

Reason
Machine shutdown

General

  • Target

    DO NOT ENTER THIS EXE.exe

  • Size

    11.0MB

  • MD5

    5ebb0732d02ca96039d4d3afbe28ea62

  • SHA1

    a196cb3873a1e5d407b04495a29c41a6d0107c39

  • SHA256

    d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1

  • SHA512

    27286714261cf4a56855cec838f19a10ca102569b0d7ee729a7c42a4cc42587583cd14a638e75f0eb4b3253c3b9bda4ef691cf42a52d29ca0f2b485db1d997e6

  • SSDEEP

    196608:qPQS04D+i4DZmLclKez/LkqIgjYX8NslsYCNiZITX+IC:EBwULcrz/dIZ6slxDIC

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe
    "C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Modifies system executable filetype association
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4660
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /r /t 00
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

    Filesize

    2.4MB

    MD5

    fe3ff5c960ffe350ceef5e7ddb47a90c

    SHA1

    4df64c51d1412ba8607d8f361f09808f9a9a58a9

    SHA256

    612124638e466d5fee56aec02345d8af0908abc4482a22de96a5ad4acc2a4f01

    SHA512

    b9f9ebc52d54a8e4eda6c190edf6be753c340ebd765ac7b15d7d0778aac82bddf1b3c0f25e7c866f826ef39248074c9cce90c448054d531c414037d6b3afa84e

  • memory/4660-0-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmp

    Filesize

    8KB

  • memory/4660-1-0x0000000000880000-0x0000000001386000-memory.dmp

    Filesize

    11.0MB