90f0c8d513a09e1072b7c955686b9eb13e15b3ff86bcd5204d7734b8e25ed8f3

Analysis

max time kernel
91s
max time network
94s
platform
windows7_x64
resource
win7v20201028
submitted
16-01-2021 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

teracopy.exe
Size

8.0MB
MD5

23e1f8baf7abde16f393036f99770d31
SHA1

8bd41b0c81a22c39e15918fc21769174962c4268
SHA256

90f0c8d513a09e1072b7c955686b9eb13e15b3ff86bcd5204d7734b8e25ed8f3
SHA512

229e46cab3e65ba83266860466ab4c28b4938bdd0a90fad860a29a8e9aeeeee88c3c77b4a23a60ec75ff5b97de843aa5f3bd5bc4c751041786df1233b48706ad

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	regsvr32.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 5 IoCs

Processes:

teracopy.tmpTeraCopyService.exeTeraCopyService.exeTeraCopyService.exeTeraCopy.exe

pid process

1000 teracopy.tmp
524 TeraCopyService.exe
1492 TeraCopyService.exe
996 TeraCopyService.exe
1176 TeraCopy.exe

pid	process
1000	teracopy.tmp
524	TeraCopyService.exe
1492	TeraCopyService.exe
996	TeraCopyService.exe
1176	TeraCopy.exe

Loads dropped DLL 17 IoCs

Processes:

teracopy.exeteracopy.tmpregsvr32.exeregsvr32.exe

pid	process
1360	teracopy.exe
1000	teracopy.tmp
1000	teracopy.tmp
1260
1260
1260
1260
2020	regsvr32.exe
240	regsvr32.exe
1000	teracopy.tmp
1000	teracopy.tmp
1000	teracopy.tmp
464
1260
1260
1260
1260

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 103 IoCs

Processes:

teracopy.tmp

description	ioc	process
File created	C:\Program Files\TeraCopy\App\Languages\fi-FI\LC_MESSAGES\is-12C5Q.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\it\LC_MESSAGES\is-38RTQ.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ka\LC_MESSAGES\is-KCT85.tmp	teracopy.tmp
File opened for modification	C:\Program Files\TeraCopy\TeraCopy.exe	teracopy.tmp
File opened for modification	C:\Program Files\TeraCopy\TeraCopyExt32.dll	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\af-ZA\LC_MESSAGES\is-BUI3E.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ar\LC_MESSAGES\is-L1N90.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\de\LC_MESSAGES\is-9TPB0.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\unins000.msg	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\pl-PL\LC_MESSAGES\is-AOVDM.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ru\LC_MESSAGES\is-KBPVL.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\sr-Cyrl\LC_MESSAGES\is-5VCNN.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\th-TH\LC_MESSAGES\is-8R1ND.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-FIULU.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-BU0H6.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\bg\LC_MESSAGES\is-I3TR4.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\bg\LC_MESSAGES\is-3IGN4.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\fi-FI\LC_MESSAGES\is-P87K1.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ro-RO\LC_MESSAGES\is-JI33I.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\unins000.dat	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\es-AR\LC_MESSAGES\is-835A0.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\hr-HR\LC_MESSAGES\is-5AVE0.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\nb\LC_MESSAGES\is-21B7A.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Sounds\is-FV8CB.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\cs\LC_MESSAGES\is-I073R.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-02AB7.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\hr-HR\LC_MESSAGES\is-8O8M5.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ka\LC_MESSAGES\is-4O8MG.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ro-RO\LC_MESSAGES\is-7VUBE.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-B6UFK.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-49HET.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-H2V2D.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\es\LC_MESSAGES\is-PTSVG.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\fa-IR\LC_MESSAGES\is-Q84KT.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\sv-SE\LC_MESSAGES\is-1BHAV.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-O7A3Q.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\zh-Hant\LC_MESSAGES\is-VHIJM.tmp	teracopy.tmp
File opened for modification	C:\Program Files\TeraCopy\unins000.dat	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\el-GR\LC_MESSAGES\is-MF75M.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\fr\LC_MESSAGES\is-IQU37.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\pl-PL\LC_MESSAGES\is-VTMM3.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\pt-PT\LC_MESSAGES\is-J1FPQ.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\zh-Hant\LC_MESSAGES\is-A9V0J.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ja\LC_MESSAGES\is-77MCU.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\sl-SI\LC_MESSAGES\is-VRFNV.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\sr-Cyrl\LC_MESSAGES\is-UAPUN.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\is-PA5FP.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\af-ZA\LC_MESSAGES\is-53G3Q.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\cs\LC_MESSAGES\is-73R4C.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\he-IL\LC_MESSAGES\is-SLFAG.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\hu-HU\LC_MESSAGES\is-IOH86.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\tr-TR\LC_MESSAGES\is-S72GP.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\he-IL\LC_MESSAGES\is-3VT17.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ja\LC_MESSAGES\is-UMAQU.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\tr-TR\LC_MESSAGES\is-QAP17.tmp	teracopy.tmp
File opened for modification	C:\Program Files\TeraCopy\TeraCopy64.dll	teracopy.tmp
File opened for modification	C:\Program Files\TeraCopy\TeraCopyService.exe	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ar\LC_MESSAGES\is-IQMBQ.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\da\LC_MESSAGES\is-2Q9KA.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\de\LC_MESSAGES\is-MTUR8.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\zh\LC_MESSAGES\is-K6AM6.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\zh-Hans\LC_MESSAGES\is-NH9T7.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\ko\LC_MESSAGES\is-B18CF.tmp	teracopy.tmp
File created	C:\Program Files\TeraCopy\App\Languages\nl\LC_MESSAGES\is-79UPU.tmp	teracopy.tmp

Modifies registry class 151 IoCs

Processes:

teracopy.tmpregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\0\win32\ = "C:\\Program Files\\TeraCopy\\TeraCopyExt32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\TeraCopy64\ = "{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\DefaultIcon	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\Shell\Open\command	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha384\ = "TeraCopy.SHAFile"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.md5\ = "TeraCopy.MD5File"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\Shell	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha1	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\DefaultIcon	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.MD5File\DefaultIcon	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha512\ = "TeraCopy.SHAFile"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\TeraCopy\ = "{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32\ = "C:\\Program Files\\TeraCopy\\TeraCopy64.dll"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\TeraCopy64	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\ = "TeraCopyExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\TeraCopy\ = "{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.MD5File\DefaultIcon\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\",0"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile\Shell	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib\ = "{7076A18D-0B6D-4C9F-AF1F-3188284C4498}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\TeraCopy	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\HELPDIR\ = "C:\\Program Files\\TeraCopy\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exf\ = "TeraCopy.MD5File"	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\TeraCopy64\ = "{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\Shell\Open	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile\Shell\Open	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\Shell\Open\command\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\" \"%1\""	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hash	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile\Shell\Open\command\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\" \"%1\""	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha512	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\ = "ITeraCopyContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\TeraCopy\ = "{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile\DefaultIcon\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\",0"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\TeraCopy\ = "{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}"	teracopy.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha384	teracopy.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib\ = "{7076A18D-0B6D-4C9F-AF1F-3188284C4498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\TypeLib	regsvr32.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

teracopy.tmpTeraCopy.exe

pid process

1000 teracopy.tmp
1000 teracopy.tmp
1176 TeraCopy.exe
1176 TeraCopy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TeraCopy.exe

description pid process

Token: SeManageVolumePrivilege 1176 TeraCopy.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

teracopy.tmpTeraCopy.exe

pid process

1000 teracopy.tmp
1176 TeraCopy.exe
1176 TeraCopy.exe

pid	process
1000	teracopy.tmp
1000	teracopy.tmp
1176	TeraCopy.exe
1176	TeraCopy.exe

description	pid	process
Token: SeManageVolumePrivilege	1176	TeraCopy.exe

pid	process
1000	teracopy.tmp
1176	TeraCopy.exe
1176	TeraCopy.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

teracopy.exeteracopy.tmpnet.exeregsvr32.exe

description	pid	process	target process
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1360 wrote to memory of 1000	1360	teracopy.exe	teracopy.tmp
PID 1000 wrote to memory of 1996	1000	teracopy.tmp	net.exe
PID 1000 wrote to memory of 1996	1000	teracopy.tmp	net.exe
PID 1000 wrote to memory of 1996	1000	teracopy.tmp	net.exe
PID 1000 wrote to memory of 1996	1000	teracopy.tmp	net.exe
PID 1996 wrote to memory of 1104	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1104	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1104	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1104	1996	net.exe	net1.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 2020	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 1000 wrote to memory of 568	1000	teracopy.tmp	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 240	568	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 524	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 524	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 524	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 524	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 1492	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 1492	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 1492	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 1492	1000	teracopy.tmp	TeraCopyService.exe
PID 1000 wrote to memory of 1176	1000	teracopy.tmp	TeraCopy.exe
PID 1000 wrote to memory of 1176	1000	teracopy.tmp	TeraCopy.exe
PID 1000 wrote to memory of 1176	1000	teracopy.tmp	TeraCopy.exe
PID 1000 wrote to memory of 1176	1000	teracopy.tmp	TeraCopy.exe

C:\Users\Admin\AppData\Local\Temp\teracopy.exe
"C:\Users\Admin\AppData\Local\Temp\teracopy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\is-LU27Q.tmp\teracopy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LU27Q.tmp\teracopy.tmp" /SL5="$30104,7637107,721408,C:\Users\Admin\AppData\Local\Temp\teracopy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop TeraCopyService
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TeraCopyService
4⤵
PID:1104

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\TeraCopy\TeraCopyExt.dll"
3⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:2020

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\TeraCopy\TeraCopyExt32.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\TeraCopy\TeraCopyExt32.dll"
4⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:240

C:\Program Files\TeraCopy\TeraCopyService.exe
"C:\Program Files\TeraCopy\TeraCopyService.exe" /remove /s
3⤵
- Executes dropped EXE
PID:524

C:\Program Files\TeraCopy\TeraCopyService.exe
"C:\Program Files\TeraCopy\TeraCopyService.exe" /i
3⤵
- Executes dropped EXE
PID:1492

C:\Program Files\TeraCopy\TeraCopy.exe
"C:\Program Files\TeraCopy\TeraCopy.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1176

C:\Program Files\TeraCopy\TeraCopyService.exe
"C:\Program Files\TeraCopy\TeraCopyService.exe"
1⤵
- Executes dropped EXE
PID:996

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TeraCopy\App\DefaultData\PowerOff.cmd
MD5
f95082b2d55f940ffd919c87c3432c38

SHA1
1adaca6fc0a241aa405c67eeac4513ab204e98de

SHA256
50c0bc8a1097a40a940133fda83e77d109e1c30fe385e142c646ccfaec9bd4bd

SHA512
bff12129c00419a030e1379ca2497b725feb78f6dff6ef7a801af887c405871932310bd62c7f02e2355faf50b83924fb4aa3e3e1027a69e5835f851033b95089

Download Submit
C:\Program Files\TeraCopy\App\DefaultData\Pushover.ps1
MD5
0798a9d7f61f253d9b5b4b72217e7b43

SHA1
3ba3be98d1e0b614db8682927b2bcdaeb0ee14f5

SHA256
3cd8b0cb018775aed7656321749903c4e099a96f793482bc1558f85f1b7a2687

SHA512
aaedb33127aff4c9b36ba5b0427a611e77b411abb46f3d639b64d9f5a68b4194296858ef0925ee25f77b609d2b70a0233a0bf1ee73698d75fd4740befdeb6784

Download Submit
C:\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
C:\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
C:\Program Files\TeraCopy\TeraCopyExt.dll
MD5
3f7415fbec69fcb9333f90527dc22269

SHA1
25183f6e38e169cc6e796eb0028a44cd8bffe506

SHA256
39f47ba973ebf06979aa09b8b965e3f9dc3119cba49f3c6cf1b1235117d62bad

SHA512
ecb7da44365451a265f8db147b35cd425aa076fbda1872bd1ee5568c04c743572d86c176f0ea7a9e50e89b64929361ffdb7d2da1b77eb2be9f1be7d5c3dcae07

Download Submit
C:\Program Files\TeraCopy\TeraCopyExt32.dll
MD5
0d0f1055c365ebde6a578f51fcd96310

SHA1
0bd0a0e551abafa14e3f2ad4fcbf2bd59decca94

SHA256
28c8538350dcb018d2b85007cd576cf94140648d2b441c8cb0eababe3b129c5e

SHA512
6419bb48b2b58a21779194e7acc06a780eb6436e3c3c1b11c866ac279adca7fa390efab50e3bcc2818f4533ea30c85634f3a4b1c801ab4dbc846d4e60e6c5747

Download Submit
C:\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
C:\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
C:\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LU27Q.tmp\teracopy.tmp
MD5
3933eba0c68cfbacea75202bcce25af2

SHA1
fc7f86d2b0a2fa8b3d4cf5d2097b502c1316cd5e

SHA256
28532cc25e97d24e445eee8d0a17b55989570947ede0f5f5558a772fe4f9dbf6

SHA512
4bb71dec631cfcffda71dc91cba8917f2a61876ac063421c968132d0588d6b2d6121f485a93aaca417daab6ab65bd4563059df67f4067e3a04cdcc52e3dc15ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LU27Q.tmp\teracopy.tmp
MD5
3933eba0c68cfbacea75202bcce25af2

SHA1
fc7f86d2b0a2fa8b3d4cf5d2097b502c1316cd5e

SHA256
28532cc25e97d24e445eee8d0a17b55989570947ede0f5f5558a772fe4f9dbf6

SHA512
4bb71dec631cfcffda71dc91cba8917f2a61876ac063421c968132d0588d6b2d6121f485a93aaca417daab6ab65bd4563059df67f4067e3a04cdcc52e3dc15ea

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopy.exe
MD5
98509b99bbd9184e32213f72175387fa

SHA1
809e0d70321df5f05c73a7e44783551e60640acf

SHA256
c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08

SHA512
97c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3

Download Submit
\Program Files\TeraCopy\TeraCopyExt.dll
MD5
3f7415fbec69fcb9333f90527dc22269

SHA1
25183f6e38e169cc6e796eb0028a44cd8bffe506

SHA256
39f47ba973ebf06979aa09b8b965e3f9dc3119cba49f3c6cf1b1235117d62bad

SHA512
ecb7da44365451a265f8db147b35cd425aa076fbda1872bd1ee5568c04c743572d86c176f0ea7a9e50e89b64929361ffdb7d2da1b77eb2be9f1be7d5c3dcae07

Download Submit
\Program Files\TeraCopy\TeraCopyExt32.dll
MD5
0d0f1055c365ebde6a578f51fcd96310

SHA1
0bd0a0e551abafa14e3f2ad4fcbf2bd59decca94

SHA256
28c8538350dcb018d2b85007cd576cf94140648d2b441c8cb0eababe3b129c5e

SHA512
6419bb48b2b58a21779194e7acc06a780eb6436e3c3c1b11c866ac279adca7fa390efab50e3bcc2818f4533ea30c85634f3a4b1c801ab4dbc846d4e60e6c5747

Download Submit
\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
\Program Files\TeraCopy\TeraCopyService.exe
MD5
1ad880441359e125fa71648e7b7e140c

SHA1
20f36a035ad9fc24d890ca4e2b3b1285482e1f6e

SHA256
807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c

SHA512
259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb

Download Submit
\Users\Admin\AppData\Local\Temp\is-LU27Q.tmp\teracopy.tmp
MD5
3933eba0c68cfbacea75202bcce25af2

SHA1
fc7f86d2b0a2fa8b3d4cf5d2097b502c1316cd5e

SHA256
28532cc25e97d24e445eee8d0a17b55989570947ede0f5f5558a772fe4f9dbf6

SHA512
4bb71dec631cfcffda71dc91cba8917f2a61876ac063421c968132d0588d6b2d6121f485a93aaca417daab6ab65bd4563059df67f4067e3a04cdcc52e3dc15ea

Download Submit
memory/240-19-0x0000000000000000-mapping.dmp

Download
memory/524-23-0x0000000000000000-mapping.dmp

Download
memory/568-17-0x0000000000000000-mapping.dmp

Download
memory/1000-3-0x0000000000000000-mapping.dmp

Download
memory/1104-6-0x0000000000000000-mapping.dmp

Download
memory/1176-32-0x0000000000000000-mapping.dmp

Download
memory/1492-26-0x0000000000000000-mapping.dmp

Download
memory/1996-5-0x0000000000000000-mapping.dmp

Download
memory/2020-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads