Malware Analysis Report

2025-01-03 08:35

Sample ID 240611-brjeysyhnk
Target DO NOT ENTER THIS EXE.exe
SHA256 d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1
Tags
evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1

Threat Level: Known bad

The file DO NOT ENTER THIS EXE.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan

UAC bypass

Modifies WinLogon for persistence

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Modifies system executable filetype association

Checks computer location settings

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:22

Reported

2024-06-11 01:24

Platform

win10v2004-20240426-en

Max time kernel

16s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\w0alp.tmp" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\bsector3.exe C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File created C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\tobi0a0c.exe C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\ui66.exe C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\winsxs.ico C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe C:\Windows\System32\shutdown.exe
PID 4660 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe C:\Windows\System32\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe

"C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/4660-0-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmp

memory/4660-1-0x0000000000880000-0x0000000001386000-memory.dmp

C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

MD5 fe3ff5c960ffe350ceef5e7ddb47a90c
SHA1 4df64c51d1412ba8607d8f361f09808f9a9a58a9
SHA256 612124638e466d5fee56aec02345d8af0908abc4482a22de96a5ad4acc2a4f01
SHA512 b9f9ebc52d54a8e4eda6c190edf6be753c340ebd765ac7b15d7d0778aac82bddf1b3c0f25e7c866f826ef39248074c9cce90c448054d531c414037d6b3afa84e