Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 17:09
Static task
static1
Behavioral task
behavioral1
Sample
TBAG2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TBAG2.exe
Resource
win10v2004-20220414-en
General
-
Target
TBAG2.exe
-
Size
163KB
-
MD5
7f2a753436c357cf86cefee430626e09
-
SHA1
67f6f4cc1f66b7300e9692046a049efeede32dc1
-
SHA256
35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d
-
SHA512
0e58b52adca2961b69f5e53b3f5d705b20131723f5c1244d0103a66a40616757693cf992384c0f61ba5e9f2c205ebc97a93791167cf6ba95d7280c10208403e4
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
TBAG2.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce TBAG2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" TBAG2.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 892 timeout.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TBAG2.execmd.exedescription pid process target process PID 784 wrote to memory of 1444 784 TBAG2.exe cmd.exe PID 784 wrote to memory of 1444 784 TBAG2.exe cmd.exe PID 784 wrote to memory of 1444 784 TBAG2.exe cmd.exe PID 1444 wrote to memory of 2024 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 2024 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 2024 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 1300 1444 cmd.exe find.exe PID 1444 wrote to memory of 1300 1444 cmd.exe find.exe PID 1444 wrote to memory of 1300 1444 cmd.exe find.exe PID 1444 wrote to memory of 892 1444 cmd.exe timeout.exe PID 1444 wrote to memory of 892 1444 cmd.exe timeout.exe PID 1444 wrote to memory of 892 1444 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TBAG2.exe"C:\Users\Admin\AppData\Local\Temp\TBAG2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c TBAG.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get OSArchitecture,caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exeFIND "10"3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT 53⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TBAG.batFilesize
9KB
MD539e70fdd1d314a7ec19de2739a0dbfc7
SHA199cb234df12be0597f57646995facb556ab6e6f6
SHA256e91b662f6c2fcb12e58ec758755282a0e751ec0e705f496bd077676e1cca7a3c
SHA512bde77b18e9a6b548018618fdd7ec6bff423be13aa3438e73b2abe39b513869b5099fb35247155fdec2fba5abaf49f2c3935c998888e6e5b252a2cc00519085de
-
memory/784-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB
-
memory/892-59-0x0000000000000000-mapping.dmp
-
memory/1300-58-0x0000000000000000-mapping.dmp
-
memory/1444-55-0x0000000000000000-mapping.dmp
-
memory/2024-57-0x0000000000000000-mapping.dmp