Analysis
-
max time kernel
45s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 09:47
Static task
static1
Behavioral task
behavioral1
Sample
teracopy.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
teracopy.exe
Resource
win10v20201028
General
-
Target
teracopy.exe
-
Size
8.0MB
-
MD5
23e1f8baf7abde16f393036f99770d31
-
SHA1
8bd41b0c81a22c39e15918fc21769174962c4268
-
SHA256
90f0c8d513a09e1072b7c955686b9eb13e15b3ff86bcd5204d7734b8e25ed8f3
-
SHA512
229e46cab3e65ba83266860466ab4c28b4938bdd0a90fad860a29a8e9aeeeee88c3c77b4a23a60ec75ff5b97de843aa5f3bd5bc4c751041786df1233b48706ad
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 4 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}" regsvr32.exe -
Registers COM server for autorun 1 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
teracopy.tmpTeraCopyService.exeTeraCopyService.exeTeraCopyService.exeTeraCopy.exepid process 3672 teracopy.tmp 2892 TeraCopyService.exe 2276 TeraCopyService.exe 1792 TeraCopyService.exe 1504 TeraCopy.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3832 regsvr32.exe 3176 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 103 IoCs
Processes:
teracopy.tmpdescription ioc process File created C:\Program Files\TeraCopy\App\Languages\vi-VN\LC_MESSAGES\is-A1J50.tmp teracopy.tmp File opened for modification C:\Program Files\TeraCopy\TeraCopy64.dll teracopy.tmp File created C:\Program Files\TeraCopy\unins000.dat teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\el-GR\LC_MESSAGES\is-57CO4.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\fa-IR\LC_MESSAGES\is-OM38N.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\hu-HU\LC_MESSAGES\is-3NK5I.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\ka\LC_MESSAGES\is-3KH0R.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\nb\LC_MESSAGES\is-9PFB2.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\de\LC_MESSAGES\is-VB578.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\fi-FI\LC_MESSAGES\is-N8DNE.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\it\LC_MESSAGES\is-K25R6.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\pl-PL\LC_MESSAGES\is-25MVO.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\ru\LC_MESSAGES\is-5HTJ6.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-5PI3A.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\hr-HR\LC_MESSAGES\is-70DQ1.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\nl\LC_MESSAGES\is-AKS13.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\th-TH\LC_MESSAGES\is-K79B0.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-MM67B.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\es\LC_MESSAGES\is-P7KKN.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\hr-HR\LC_MESSAGES\is-P28TI.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\id\LC_MESSAGES\is-ES8PA.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\nb\LC_MESSAGES\is-PVDEN.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\ro-RO\LC_MESSAGES\is-0NDC9.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\zh\LC_MESSAGES\is-P8J8N.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\zh\LC_MESSAGES\is-1LU2I.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-SPDEU.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\af-ZA\LC_MESSAGES\is-U1J3F.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\fr\LC_MESSAGES\is-D6LCC.tmp teracopy.tmp File created C:\Program Files\TeraCopy\unins000.msg teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\cs\LC_MESSAGES\is-GJM7L.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\el-GR\LC_MESSAGES\is-KINTG.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\ru\LC_MESSAGES\is-UD6CI.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-HSSHJ.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-I8U6Q.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-Q0A8U.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-FTBNJ.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\he-IL\LC_MESSAGES\is-DV9Q5.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\sv-SE\LC_MESSAGES\is-MQPD5.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\tr-TR\LC_MESSAGES\is-CF2JU.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\zh-Hant\LC_MESSAGES\is-IFNOB.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-UASH2.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\da\LC_MESSAGES\is-JHIRD.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\es-AR\LC_MESSAGES\is-2PSNU.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\fa-IR\LC_MESSAGES\is-ICTBR.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\ro-RO\LC_MESSAGES\is-G62ML.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\vi-VN\LC_MESSAGES\is-B7CQA.tmp teracopy.tmp File opened for modification C:\Program Files\TeraCopy\TeraCopyExt.dll teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\af-ZA\LC_MESSAGES\is-MMH65.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\bg\LC_MESSAGES\is-C4CA0.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\hu-HU\LC_MESSAGES\is-8T6SM.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\kbd\LC_MESSAGES\is-6HHJB.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\kbd\LC_MESSAGES\is-SPIP4.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\pt-PT\LC_MESSAGES\is-PUON0.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Sounds\is-3OAMN.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\he-IL\LC_MESSAGES\is-K8FSP.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\nl\LC_MESSAGES\is-04R77.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\tr-TR\LC_MESSAGES\is-JKQJK.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\zh-Hant\LC_MESSAGES\is-226L9.tmp teracopy.tmp File created C:\Program Files\TeraCopy\is-QRNMD.tmp teracopy.tmp File opened for modification C:\Program Files\TeraCopy\TeraCopy.dll teracopy.tmp File created C:\Program Files\TeraCopy\is-98OL6.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\es\LC_MESSAGES\is-D14M3.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\id\LC_MESSAGES\is-FMGSI.tmp teracopy.tmp File created C:\Program Files\TeraCopy\App\Languages\pt-PT\LC_MESSAGES\is-MS99T.tmp teracopy.tmp -
Modifies registry class 152 IoCs
Processes:
teracopy.tmpregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sha3 teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\ = "TeraCopyExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32\ = "C:\\Program Files\\TeraCopy\\TeraCopy.dll" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\ = "SHA Checksum File" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32 teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0\0\win32\ = "C:\\Program Files\\TeraCopy\\TeraCopyExt32.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\DefaultIcon\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\",0" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sha3\ = "TeraCopy.SHAFile" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273FD489-0061-4730-8557-A0229593C16E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib\ = "{7076A18D-0B6D-4C9F-AF1F-3188284C4498}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\Shell\Open\command teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\Shell teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.md5 teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sha1\ = "TeraCopy.SHAFile" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\Shell\Open\command\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\" \"%1\"" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.MD5File\ = "MD5 Checksum File" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.md5\ = "TeraCopy.MD5File" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\DefaultIcon teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sha512\ = "TeraCopy.SHAFile" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{273FD489-0061-4730-8557-A0229593C16E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sfv teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sha256\ = "TeraCopy.SHAFile" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\DefaultIcon\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe, 1\"" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7076A18D-0B6D-4C9F-AF1F-3188284C4498} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7} teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.MD5File\Shell teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273FD489-0061-4730-8557-A0229593C16E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SFVFile\DefaultIcon\ = "\"C:\\Program Files\\TeraCopy\\TeraCopy.exe\",0" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\Shell\Open\command teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.SHAFile\Shell teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sha teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32 teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32 teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32\ = "C:\\Program Files\\TeraCopy\\TeraCopy.dll" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sha384 teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\TeraCopy64 teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\TeraCopy64\ = "{A7645AF0-D6E8-48AF-8DFA-023B1CF660A7}" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\TeraCopy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32\ThreadingModel = "Apartment" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InProcServer32\ThreadingModel = "Apartment" teracopy.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy\ = "URL:TeraCopy Link" teracopy.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8005AF0-D6E8-48AF-8DFA-023B1CF660A7}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\TeraCopy\ = "{A7005AF0-D6E8-48AF-8DFA-023B1CF660A7}" teracopy.tmp -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
teracopy.tmpTeraCopy.exepid process 3672 teracopy.tmp 3672 teracopy.tmp 1504 TeraCopy.exe 1504 TeraCopy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TeraCopy.exedescription pid process Token: SeManageVolumePrivilege 1504 TeraCopy.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
teracopy.tmpTeraCopy.exepid process 3672 teracopy.tmp 1504 TeraCopy.exe 1504 TeraCopy.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
teracopy.exeteracopy.tmpnet.exeregsvr32.exedescription pid process target process PID 740 wrote to memory of 3672 740 teracopy.exe teracopy.tmp PID 740 wrote to memory of 3672 740 teracopy.exe teracopy.tmp PID 740 wrote to memory of 3672 740 teracopy.exe teracopy.tmp PID 3672 wrote to memory of 212 3672 teracopy.tmp net.exe PID 3672 wrote to memory of 212 3672 teracopy.tmp net.exe PID 3672 wrote to memory of 212 3672 teracopy.tmp net.exe PID 212 wrote to memory of 2024 212 net.exe net1.exe PID 212 wrote to memory of 2024 212 net.exe net1.exe PID 212 wrote to memory of 2024 212 net.exe net1.exe PID 3672 wrote to memory of 3832 3672 teracopy.tmp regsvr32.exe PID 3672 wrote to memory of 3832 3672 teracopy.tmp regsvr32.exe PID 3672 wrote to memory of 3332 3672 teracopy.tmp regsvr32.exe PID 3672 wrote to memory of 3332 3672 teracopy.tmp regsvr32.exe PID 3332 wrote to memory of 3176 3332 regsvr32.exe regsvr32.exe PID 3332 wrote to memory of 3176 3332 regsvr32.exe regsvr32.exe PID 3332 wrote to memory of 3176 3332 regsvr32.exe regsvr32.exe PID 3672 wrote to memory of 2892 3672 teracopy.tmp TeraCopyService.exe PID 3672 wrote to memory of 2892 3672 teracopy.tmp TeraCopyService.exe PID 3672 wrote to memory of 2276 3672 teracopy.tmp TeraCopyService.exe PID 3672 wrote to memory of 2276 3672 teracopy.tmp TeraCopyService.exe PID 3672 wrote to memory of 1504 3672 teracopy.tmp TeraCopy.exe PID 3672 wrote to memory of 1504 3672 teracopy.tmp TeraCopy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\teracopy.exe"C:\Users\Admin\AppData\Local\Temp\teracopy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-APOSP.tmp\teracopy.tmp"C:\Users\Admin\AppData\Local\Temp\is-APOSP.tmp\teracopy.tmp" /SL5="$20112,7637107,721408,C:\Users\Admin\AppData\Local\Temp\teracopy.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop TeraCopyService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop TeraCopyService4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\TeraCopy\TeraCopyExt.dll"3⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\TeraCopy\TeraCopyExt32.dll"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\TeraCopy\TeraCopyExt32.dll"4⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files\TeraCopy\TeraCopyService.exe"C:\Program Files\TeraCopy\TeraCopyService.exe" /remove /s3⤵
- Executes dropped EXE
-
C:\Program Files\TeraCopy\TeraCopyService.exe"C:\Program Files\TeraCopy\TeraCopyService.exe" /i3⤵
- Executes dropped EXE
-
C:\Program Files\TeraCopy\TeraCopy.exe"C:\Program Files\TeraCopy\TeraCopy.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\TeraCopy\TeraCopyService.exe"C:\Program Files\TeraCopy\TeraCopyService.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\TeraCopy\App\DefaultData\PowerOff.cmdMD5
f95082b2d55f940ffd919c87c3432c38
SHA11adaca6fc0a241aa405c67eeac4513ab204e98de
SHA25650c0bc8a1097a40a940133fda83e77d109e1c30fe385e142c646ccfaec9bd4bd
SHA512bff12129c00419a030e1379ca2497b725feb78f6dff6ef7a801af887c405871932310bd62c7f02e2355faf50b83924fb4aa3e3e1027a69e5835f851033b95089
-
C:\Program Files\TeraCopy\App\DefaultData\Pushover.ps1MD5
0798a9d7f61f253d9b5b4b72217e7b43
SHA13ba3be98d1e0b614db8682927b2bcdaeb0ee14f5
SHA2563cd8b0cb018775aed7656321749903c4e099a96f793482bc1558f85f1b7a2687
SHA512aaedb33127aff4c9b36ba5b0427a611e77b411abb46f3d639b64d9f5a68b4194296858ef0925ee25f77b609d2b70a0233a0bf1ee73698d75fd4740befdeb6784
-
C:\Program Files\TeraCopy\TeraCopy.exeMD5
98509b99bbd9184e32213f72175387fa
SHA1809e0d70321df5f05c73a7e44783551e60640acf
SHA256c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08
SHA51297c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3
-
C:\Program Files\TeraCopy\TeraCopy.exeMD5
98509b99bbd9184e32213f72175387fa
SHA1809e0d70321df5f05c73a7e44783551e60640acf
SHA256c4b0b416eec1e33c263ef399002361dc614ecbf1b35c2dcfec5954f5e37ffc08
SHA51297c9cbe85dfdfe06572b4be490c439edc2e3be2de1f743df021411a97619a5911c95848a3b4f903c8de5733ad63de8c08fd32811b5d7e09ef06aed3bd1fef2a3
-
C:\Program Files\TeraCopy\TeraCopyExt.dllMD5
3f7415fbec69fcb9333f90527dc22269
SHA125183f6e38e169cc6e796eb0028a44cd8bffe506
SHA25639f47ba973ebf06979aa09b8b965e3f9dc3119cba49f3c6cf1b1235117d62bad
SHA512ecb7da44365451a265f8db147b35cd425aa076fbda1872bd1ee5568c04c743572d86c176f0ea7a9e50e89b64929361ffdb7d2da1b77eb2be9f1be7d5c3dcae07
-
C:\Program Files\TeraCopy\TeraCopyExt32.dllMD5
0d0f1055c365ebde6a578f51fcd96310
SHA10bd0a0e551abafa14e3f2ad4fcbf2bd59decca94
SHA25628c8538350dcb018d2b85007cd576cf94140648d2b441c8cb0eababe3b129c5e
SHA5126419bb48b2b58a21779194e7acc06a780eb6436e3c3c1b11c866ac279adca7fa390efab50e3bcc2818f4533ea30c85634f3a4b1c801ab4dbc846d4e60e6c5747
-
C:\Program Files\TeraCopy\TeraCopyService.exeMD5
1ad880441359e125fa71648e7b7e140c
SHA120f36a035ad9fc24d890ca4e2b3b1285482e1f6e
SHA256807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c
SHA512259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb
-
C:\Program Files\TeraCopy\TeraCopyService.exeMD5
1ad880441359e125fa71648e7b7e140c
SHA120f36a035ad9fc24d890ca4e2b3b1285482e1f6e
SHA256807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c
SHA512259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb
-
C:\Program Files\TeraCopy\TeraCopyService.exeMD5
1ad880441359e125fa71648e7b7e140c
SHA120f36a035ad9fc24d890ca4e2b3b1285482e1f6e
SHA256807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c
SHA512259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb
-
C:\Program Files\TeraCopy\TeraCopyService.exeMD5
1ad880441359e125fa71648e7b7e140c
SHA120f36a035ad9fc24d890ca4e2b3b1285482e1f6e
SHA256807b966750dd5368c5a4119be50f63f01e11737af86e772c479dbe12b4d8041c
SHA512259e6285d17f32de8a05572caa7214783ec10138e0fc98ecec49b441ff0f72b445343e684534df3543f5a291b548f2036a9d3943d34cb2c7cb9274d322c9b1eb
-
C:\Users\Admin\AppData\Local\Temp\is-APOSP.tmp\teracopy.tmpMD5
3933eba0c68cfbacea75202bcce25af2
SHA1fc7f86d2b0a2fa8b3d4cf5d2097b502c1316cd5e
SHA25628532cc25e97d24e445eee8d0a17b55989570947ede0f5f5558a772fe4f9dbf6
SHA5124bb71dec631cfcffda71dc91cba8917f2a61876ac063421c968132d0588d6b2d6121f485a93aaca417daab6ab65bd4563059df67f4067e3a04cdcc52e3dc15ea
-
C:\Users\Admin\AppData\Local\Temp\is-APOSP.tmp\teracopy.tmpMD5
3933eba0c68cfbacea75202bcce25af2
SHA1fc7f86d2b0a2fa8b3d4cf5d2097b502c1316cd5e
SHA25628532cc25e97d24e445eee8d0a17b55989570947ede0f5f5558a772fe4f9dbf6
SHA5124bb71dec631cfcffda71dc91cba8917f2a61876ac063421c968132d0588d6b2d6121f485a93aaca417daab6ab65bd4563059df67f4067e3a04cdcc52e3dc15ea
-
\Program Files\TeraCopy\TeraCopyExt.dllMD5
3f7415fbec69fcb9333f90527dc22269
SHA125183f6e38e169cc6e796eb0028a44cd8bffe506
SHA25639f47ba973ebf06979aa09b8b965e3f9dc3119cba49f3c6cf1b1235117d62bad
SHA512ecb7da44365451a265f8db147b35cd425aa076fbda1872bd1ee5568c04c743572d86c176f0ea7a9e50e89b64929361ffdb7d2da1b77eb2be9f1be7d5c3dcae07
-
\Program Files\TeraCopy\TeraCopyExt32.dllMD5
0d0f1055c365ebde6a578f51fcd96310
SHA10bd0a0e551abafa14e3f2ad4fcbf2bd59decca94
SHA25628c8538350dcb018d2b85007cd576cf94140648d2b441c8cb0eababe3b129c5e
SHA5126419bb48b2b58a21779194e7acc06a780eb6436e3c3c1b11c866ac279adca7fa390efab50e3bcc2818f4533ea30c85634f3a4b1c801ab4dbc846d4e60e6c5747
-
memory/212-4-0x0000000000000000-mapping.dmp
-
memory/1504-20-0x0000000000000000-mapping.dmp
-
memory/2024-5-0x0000000000000000-mapping.dmp
-
memory/2276-17-0x0000000000000000-mapping.dmp
-
memory/2892-14-0x0000000000000000-mapping.dmp
-
memory/3176-12-0x0000000000000000-mapping.dmp
-
memory/3332-10-0x0000000000000000-mapping.dmp
-
memory/3672-2-0x0000000000000000-mapping.dmp
-
memory/3832-7-0x0000000000000000-mapping.dmp