55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
Size

140KB
MD5

71b17c804e07fbd04b3f0ff0964b901d
SHA1

6d3acc515aee69d0d84674bd3923263ecb26b39c
SHA256

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1
SHA512

aa881cf82666283b47f5101c4d282ee97092527debe9bc2475f213fdcd16e89f3bbd4ebb2d3ccbd5c88bcd6d3cc8f09a8c3a930a9d7ba711107d6edda6d150ea

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

update.exeupdate.tmpTCON.exe

pid process

1544 update.exe
1532 update.tmp
1380 TCON.exe

pid	process
1544	update.exe
1532	update.tmp
1380	TCON.exe

Loads dropped DLL 6 IoCs

Processes:

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeupdate.exeupdate.tmp

pid	process
1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
1544	update.exe
1532	update.tmp
1532	update.tmp
1532	update.tmp
1532	update.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

update.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	update.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCON = "C:\\Program Files (x86)\\TCON\\TCON.exe"	update.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

Processes:

update.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\TCON\TCON.exe	update.tmp
File created	C:\Program Files (x86)\TCON\unins000.dat	update.tmp
File created	C:\Program Files (x86)\TCON\is-1AIM6.tmp	update.tmp
File created	C:\Program Files (x86)\TCON\is-E81TS.tmp	update.tmp
File created	C:\Program Files (x86)\TCON\is-HN48H.tmp	update.tmp
File opened for modification	C:\Program Files (x86)\TCON\unins000.dat	update.tmp

Kills process with taskkill 1 IoCs
evasion

Processes:

TaskKill.exe

pid process

1904 TaskKill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

update.tmp

pid process

1532 update.tmp
1532 update.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe

pid process

1880 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TaskKill.exe

description pid process

Token: SeDebugPrivilege 1904 TaskKill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeupdate.tmpTCON.exe

pid process

1880 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
1532 update.tmp
1380 TCON.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeTCON.exe

pid process

1880 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
1380 TCON.exe

pid	process
1904	TaskKill.exe

pid	process
1532	update.tmp
1532	update.tmp

description	pid	process
Token: SeDebugPrivilege	1904	TaskKill.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeupdate.exeupdate.tmp

description	pid	process	target process
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1880 wrote to memory of 1544	1880	55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe	update.exe
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1544 wrote to memory of 1532	1544	update.exe	update.tmp
PID 1532 wrote to memory of 1904	1532	update.tmp	TaskKill.exe
PID 1532 wrote to memory of 1904	1532	update.tmp	TaskKill.exe
PID 1532 wrote to memory of 1904	1532	update.tmp	TaskKill.exe
PID 1532 wrote to memory of 1904	1532	update.tmp	TaskKill.exe
PID 1532 wrote to memory of 1380	1532	update.tmp	TCON.exe
PID 1532 wrote to memory of 1380	1532	update.tmp	TCON.exe
PID 1532 wrote to memory of 1380	1532	update.tmp	TCON.exe
PID 1532 wrote to memory of 1380	1532	update.tmp	TCON.exe

C:\Users\Admin\AppData\Local\Temp\55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
"C:\Users\Admin\AppData\Local\Temp\55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" /VerySilent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\is-NS3A3.tmp\update.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NS3A3.tmp\update.tmp" /SL5="$80128,235221,56832,C:\Users\Admin\AppData\Local\Temp\update.exe" /VerySilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\TaskKill.exe
"C:\Windows\system32\TaskKill.exe" /F /IM TCON.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files (x86)\TCON\TCON.exe
"C:\Program Files (x86)\TCON\TCON.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TCON\TCON.exe
MD5
829dfaa06edbab928e87593ab193d1ef

SHA1
260d8d1de24952e3cd77773bd7442710d71287fa

SHA256
20fcda79c471cf37703a7698dfcc8dbc7807d8c56a3c45e1579610728f812728

SHA512
a02f3bae34f8f4f7cdaa9638b7f9ed51889d1cb10d1a75ee786acc420edc700a1d88cd2835663c8402a979911459ea323fe3ae5f4dea61af4a91053f55b57c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NS3A3.tmp\update.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NS3A3.tmp\update.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
ba770406ea8c414730c772ee9e45610a

SHA1
39bd7bbb4ff4dae7cefa50d5491058e6173dcc4b

SHA256
7e94ebdcc288bf1e4a81dcc58a7007fde1f185e67f8bf458fad5a4f42841d1fd

SHA512
5b46f017358dcf6a9e5b21358ee25779a143a86ecc78045cd6c2202e44e3bdeea054828dfd166e1cb497c7e25c0e0c0a9fc791840257f32c8421bcd1a2fafbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
ba770406ea8c414730c772ee9e45610a

SHA1
39bd7bbb4ff4dae7cefa50d5491058e6173dcc4b

SHA256
7e94ebdcc288bf1e4a81dcc58a7007fde1f185e67f8bf458fad5a4f42841d1fd

SHA512
5b46f017358dcf6a9e5b21358ee25779a143a86ecc78045cd6c2202e44e3bdeea054828dfd166e1cb497c7e25c0e0c0a9fc791840257f32c8421bcd1a2fafbc8

Download Submit
\Program Files (x86)\TCON\TCON.exe
MD5
829dfaa06edbab928e87593ab193d1ef

SHA1
260d8d1de24952e3cd77773bd7442710d71287fa

SHA256
20fcda79c471cf37703a7698dfcc8dbc7807d8c56a3c45e1579610728f812728

SHA512
a02f3bae34f8f4f7cdaa9638b7f9ed51889d1cb10d1a75ee786acc420edc700a1d88cd2835663c8402a979911459ea323fe3ae5f4dea61af4a91053f55b57c51

Download Submit
\Program Files (x86)\TCON\TCON.exe
MD5
829dfaa06edbab928e87593ab193d1ef

SHA1
260d8d1de24952e3cd77773bd7442710d71287fa

SHA256
20fcda79c471cf37703a7698dfcc8dbc7807d8c56a3c45e1579610728f812728

SHA512
a02f3bae34f8f4f7cdaa9638b7f9ed51889d1cb10d1a75ee786acc420edc700a1d88cd2835663c8402a979911459ea323fe3ae5f4dea61af4a91053f55b57c51

Download Submit
\Users\Admin\AppData\Local\Temp\is-17NSG.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-17NSG.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NS3A3.tmp\update.tmp
MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
MD5
ba770406ea8c414730c772ee9e45610a

SHA1
39bd7bbb4ff4dae7cefa50d5491058e6173dcc4b

SHA256
7e94ebdcc288bf1e4a81dcc58a7007fde1f185e67f8bf458fad5a4f42841d1fd

SHA512
5b46f017358dcf6a9e5b21358ee25779a143a86ecc78045cd6c2202e44e3bdeea054828dfd166e1cb497c7e25c0e0c0a9fc791840257f32c8421bcd1a2fafbc8

Download Submit
memory/1380-41-0x0000000000000000-mapping.dmp

Download
memory/1532-12-0x0000000000000000-mapping.dmp

Download
memory/1544-8-0x0000000000000000-mapping.dmp

Download
memory/1764-0-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/1880-3-0x00000000032D0000-0x00000000033D1000-memory.dmp

Filesize
1.0MB

Download
memory/1880-1-0x00000000032D0000-0x00000000033D1000-memory.dmp

Filesize
1.0MB

Download
memory/1904-16-0x0000000000000000-mapping.dmp

Download