Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:18
Static task
static1
Behavioral task
behavioral1
Sample
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
Resource
win10v20201028
General
-
Target
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe
-
Size
140KB
-
MD5
71b17c804e07fbd04b3f0ff0964b901d
-
SHA1
6d3acc515aee69d0d84674bd3923263ecb26b39c
-
SHA256
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1
-
SHA512
aa881cf82666283b47f5101c4d282ee97092527debe9bc2475f213fdcd16e89f3bbd4ebb2d3ccbd5c88bcd6d3cc8f09a8c3a930a9d7ba711107d6edda6d150ea
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
update.exeupdate.tmpTCON.exepid process 196 update.exe 3180 update.tmp 648 TCON.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
update.tmpdescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run update.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCON = "C:\\Program Files (x86)\\TCON\\TCON.exe" update.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
Processes:
update.tmpdescription ioc process File created C:\Program Files (x86)\TCON\is-Q677F.tmp update.tmp File created C:\Program Files (x86)\TCON\is-MUU8Q.tmp update.tmp File opened for modification C:\Program Files (x86)\TCON\unins000.dat update.tmp File opened for modification C:\Program Files (x86)\TCON\TCON.exe update.tmp File created C:\Program Files (x86)\TCON\unins000.dat update.tmp File created C:\Program Files (x86)\TCON\is-CCHH2.tmp update.tmp -
Kills process with taskkill 1 IoCs
Processes:
TaskKill.exepid process 940 TaskKill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
update.tmppid process 3180 update.tmp 3180 update.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exepid process 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TaskKill.exedescription pid process Token: SeDebugPrivilege 940 TaskKill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
update.tmp55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeTCON.exepid process 3180 update.tmp 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe 648 TCON.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeTCON.exepid process 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe 648 TCON.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exeupdate.exeupdate.tmpdescription pid process target process PID 1028 wrote to memory of 196 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe update.exe PID 1028 wrote to memory of 196 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe update.exe PID 1028 wrote to memory of 196 1028 55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe update.exe PID 196 wrote to memory of 3180 196 update.exe update.tmp PID 196 wrote to memory of 3180 196 update.exe update.tmp PID 196 wrote to memory of 3180 196 update.exe update.tmp PID 3180 wrote to memory of 940 3180 update.tmp TaskKill.exe PID 3180 wrote to memory of 940 3180 update.tmp TaskKill.exe PID 3180 wrote to memory of 940 3180 update.tmp TaskKill.exe PID 3180 wrote to memory of 648 3180 update.tmp TCON.exe PID 3180 wrote to memory of 648 3180 update.tmp TCON.exe PID 3180 wrote to memory of 648 3180 update.tmp TCON.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe"C:\Users\Admin\AppData\Local\Temp\55b31e3bb9e15864bfb62c5607a153b44d119e87cb10e9228e071349d445b0b1.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe" /VerySilent2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ICCUE.tmp\update.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICCUE.tmp\update.tmp" /SL5="$5005E,235221,56832,C:\Users\Admin\AppData\Local\Temp\update.exe" /VerySilent3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TaskKill.exe"C:\Windows\system32\TaskKill.exe" /F /IM TCON.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\TCON\TCON.exe"C:\Program Files (x86)\TCON\TCON.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\TCON\TCON.exeMD5
829dfaa06edbab928e87593ab193d1ef
SHA1260d8d1de24952e3cd77773bd7442710d71287fa
SHA25620fcda79c471cf37703a7698dfcc8dbc7807d8c56a3c45e1579610728f812728
SHA512a02f3bae34f8f4f7cdaa9638b7f9ed51889d1cb10d1a75ee786acc420edc700a1d88cd2835663c8402a979911459ea323fe3ae5f4dea61af4a91053f55b57c51
-
C:\Program Files (x86)\TCON\TCON.exeMD5
829dfaa06edbab928e87593ab193d1ef
SHA1260d8d1de24952e3cd77773bd7442710d71287fa
SHA25620fcda79c471cf37703a7698dfcc8dbc7807d8c56a3c45e1579610728f812728
SHA512a02f3bae34f8f4f7cdaa9638b7f9ed51889d1cb10d1a75ee786acc420edc700a1d88cd2835663c8402a979911459ea323fe3ae5f4dea61af4a91053f55b57c51
-
C:\Users\Admin\AppData\Local\Temp\is-ICCUE.tmp\update.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-ICCUE.tmp\update.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\update.exeMD5
ba770406ea8c414730c772ee9e45610a
SHA139bd7bbb4ff4dae7cefa50d5491058e6173dcc4b
SHA2567e94ebdcc288bf1e4a81dcc58a7007fde1f185e67f8bf458fad5a4f42841d1fd
SHA5125b46f017358dcf6a9e5b21358ee25779a143a86ecc78045cd6c2202e44e3bdeea054828dfd166e1cb497c7e25c0e0c0a9fc791840257f32c8421bcd1a2fafbc8
-
C:\Users\Admin\AppData\Local\Temp\update.exeMD5
ba770406ea8c414730c772ee9e45610a
SHA139bd7bbb4ff4dae7cefa50d5491058e6173dcc4b
SHA2567e94ebdcc288bf1e4a81dcc58a7007fde1f185e67f8bf458fad5a4f42841d1fd
SHA5125b46f017358dcf6a9e5b21358ee25779a143a86ecc78045cd6c2202e44e3bdeea054828dfd166e1cb497c7e25c0e0c0a9fc791840257f32c8421bcd1a2fafbc8
-
memory/196-0-0x0000000000000000-mapping.dmp
-
memory/648-7-0x0000000000000000-mapping.dmp
-
memory/940-6-0x0000000000000000-mapping.dmp
-
memory/3180-3-0x0000000000000000-mapping.dmp