Analysis Overview
SHA256
d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1
Threat Level: Known bad
The file DO NOT ENTER THIS EXE.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Modifies system executable filetype association
Checks computer location settings
Sets desktop wallpaper using registry
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 01:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 01:22
Reported
2024-06-11 01:24
Platform
win10v2004-20240426-en
Max time kernel
16s
Max time network
19s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\w0alp.tmp" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\bsector3.exe | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File created | C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\tobi0a0c.exe | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\ui66.exe | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\winsxs.ico | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4660 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | C:\Windows\System32\shutdown.exe |
| PID 4660 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | C:\Windows\System32\shutdown.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe
"C:\Users\Admin\AppData\Local\Temp\DO NOT ENTER THIS EXE.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b8855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/4660-0-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmp
memory/4660-1-0x0000000000880000-0x0000000001386000-memory.dmp
C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
| MD5 | fe3ff5c960ffe350ceef5e7ddb47a90c |
| SHA1 | 4df64c51d1412ba8607d8f361f09808f9a9a58a9 |
| SHA256 | 612124638e466d5fee56aec02345d8af0908abc4482a22de96a5ad4acc2a4f01 |
| SHA512 | b9f9ebc52d54a8e4eda6c190edf6be753c340ebd765ac7b15d7d0778aac82bddf1b3c0f25e7c866f826ef39248074c9cce90c448054d531c414037d6b3afa84e |