1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3 | Triage

Analysis

max time kernel
148s
max time network
154s
platform
windows10_x64
resource
win10v200722
submitted
29-07-2020 07:17

Sharing

Report Analysis Logs

General

Target

1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Size

172KB
MD5

169aaafbcc45bcc0ad01ccf74df8f5a8
SHA1

e8e922317325d2527ef75a35d16407d5f671f6cb
SHA256

1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3
SHA512

f4f4dc28aae507535d5b71fb092a2e9e0a0e3a3e463f9e17a9dee4214655bfb2900ec6b6eb0b8453418f0ae3bd51c2c2d08638baac0d8ce3f1cfeb43b8759461

Score

8^/10

persistence discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1136	TuXTybCoi.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\1 = 7872dc8d3f70f0457764f6f2aff6bf29aa0e8b5b5bfe53837fbec9611e3e5c74dbbba1896e812e4e25de03bdbc46a5df5a4eaf712e3cbe57fc3c533ceca78258c2b8590a8dce86142f030ca0089094543d364f79bd6839975341b583b72bff9fcb1fbd6bf2e84e6b9039d54c7977dc07d0d98e8e0e41293696bb4cd8f83f3b06be836d7ae87bfb477603b79e658d7424231c8fb65a887ec7d411826faecc64512dd8f2152bc1dc3598a510d1d11422afb2cde54a276eab06e6a21d72c7793926ae83e8509e3213656e0ea1d428e2c45eff8be8583bd15f6a2203ff244973a882ed83fd9fc7c758b18b684efa1ea4b44cea4594f43c81576b8d085ee643f0097ba39f91bbe62414198900b7eda46202fa9902022435b9758997ab20667cff197634c2224d77eb55db9f3e8dbdbe9f80cc	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2 = eb70b2fa36a335692b997ca3953500c1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662e6b035c4260593847590b5382f0d5be8f4beb996f7ae232c711371fae6c5dcd1c90db207ca2f843560e669d5ccd01a329d1c54dadcd87f6e7686e7bec7e35963bf9016b408ae46b7c59975f4c8951d18	TuXTybCoi.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2 = eb70b2fa36a335692b997ca3953500c1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662d2cb47150f35e90a7372aded0d95040ebdff53e8d4c80adb1d11edc16393a127c90db207ca2f843560e669d5ccd01a329d1c54dadcd87f6e7686e7bec7e35963896ad7f9aaa6edd93de9e7fbabd766e3	TuXTybCoi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\ = 85f27dfa0299c821697f3415d37af968882a29e084663f0d6cb84c7b36294d16840d8869e97aa9767ca2f4622c75bae9931f0f50ab3142d46ff3326a700bdbe321485bbc11fa6a529d1b3c32c41ed7da639f3c0654b11b7ec809aad4f34dcf163056dbbad4f4ae1a19df5e3b43643058993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c02891cb8b12154cac19db90f7a39aafaa	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\1	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\0 = 389d53f6c649e18b0d55bab2a5ff2b15fc746104c2619e99e5a764028ed27905a68499aab758ac3e5ca8eeef7294e605db317e2f8280e9fe900eb1a4baf201baa6ebdb20a337cb44ccea61f7c5d1c37c4999834689c3ab46bc3159b2c67a00408b321d05ad836ae76dfe74dbeeb3d709f1758921f50d5a65684d8a0afa3235dd6661660c3da9e62422353e0b73f018ee1681af09846b67bac3d83e8b3a2e53818acc2906629458052c192b48fff42313f931419447629265df1c8885e526aed94d7de5cc98cb55007b7ccba2c385bae3a5ceda9c91664693642aabe91a308fcbbfa48615d2eda6ad9de749090101b5daa5839a073f15f290d1b28804e682453ea1ba9f244a5fc15271d347a1e52a24270bf71c0b649b7a4ec1140b00e643d4ccc75233c3701594f7525096c435e5ab0cdff7f710c181b411887817dc74f3e5093aff8a73a2389e836e28da7c39fbc861	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2	TuXTybCoi.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID	TuXTybCoi.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\1	TuXTybCoi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2 = 5c0468034c8ed7d1fb5931e320e08fb1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662654567901f29d39f584c4860738e8e7b53d18c141170f842a013b8f922d3da5094ad5fa131dc480b7373a8e6bf72fccdf30c56811dc4921eb075bcdd32de75f77839cff56aa3e161f7e47f07c4ee13cb	TuXTybCoi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\CLSID\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45}\2 = 5994605e8ba2ca74c81f0f832fea4e8ffb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b6626b1b531ea19e847631619cdae4f0a07455947804280bc70b4af9769ae26e3b0bceae73dc70a5d9033e584c2c71f63d8c71002952a1955999d41dbae5eb07188d251944545a12cfd5410b9885093b6771	TuXTybCoi.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{EFD8D9FB-2E9B-950D-F8EF-BF228E1CAA45} = "C:\\Users\\Admin\\AppData\\Roaming\\zpIzKCjQ\\lOBZZmwm\\rCrktHKV\\TuXTybCoi.exe"	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
"C:\Users\Admin\AppData\Local\Temp\1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe"
1⤵
- Modifies registry class
- Adds Run key to start application
PID:424

C:\Users\Admin\AppData\Roaming\zpIzKCjQ\lOBZZmwm\rCrktHKV\TuXTybCoi.exe
C:\Users\Admin\AppData\Roaming\zpIzKCjQ\lOBZZmwm\rCrktHKV\TuXTybCoi.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads