35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d

General

Target

TBAG2.exe
Size

163KB
MD5

7f2a753436c357cf86cefee430626e09
SHA1

67f6f4cc1f66b7300e9692046a049efeede32dc1
SHA256

35f13d8f063f086e5ef1cff022a0f1bb3daf65ed7163ec7854cc9b3c8bf46c1d
SHA512

0e58b52adca2961b69f5e53b3f5d705b20131723f5c1244d0103a66a40616757693cf992384c0f61ba5e9f2c205ebc97a93791167cf6ba95d7280c10208403e4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TBAG2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	TBAG2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TBAG2.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

892 timeout.exe

pid	process
892	timeout.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

TBAG2.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 1444	784	TBAG2.exe	cmd.exe
PID 784 wrote to memory of 1444	784	TBAG2.exe	cmd.exe
PID 784 wrote to memory of 1444	784	TBAG2.exe	cmd.exe
PID 1444 wrote to memory of 2024	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 2024	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 2024	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 1300	1444	cmd.exe	find.exe
PID 1444 wrote to memory of 1300	1444	cmd.exe	find.exe
PID 1444 wrote to memory of 1300	1444	cmd.exe	find.exe
PID 1444 wrote to memory of 892	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 892	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 892	1444	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\TBAG2.exe
"C:\Users\Admin\AppData\Local\Temp\TBAG2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\system32\cmd.exe
cmd /c TBAG.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get OSArchitecture,caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\find.exe
FIND "10"
3⤵
PID:1300

C:\Windows\system32\timeout.exe
TIMEOUT 5
3⤵
- Delays execution with timeout.exe
PID:892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TBAG.bat
Filesize
9KB

MD5
39e70fdd1d314a7ec19de2739a0dbfc7

SHA1
99cb234df12be0597f57646995facb556ab6e6f6

SHA256
e91b662f6c2fcb12e58ec758755282a0e751ec0e705f496bd077676e1cca7a3c

SHA512
bde77b18e9a6b548018618fdd7ec6bff423be13aa3438e73b2abe39b513869b5099fb35247155fdec2fba5abaf49f2c3935c998888e6e5b252a2cc00519085de

Download Submit
memory/784-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/892-59-0x0000000000000000-mapping.dmp

Download
memory/1300-58-0x0000000000000000-mapping.dmp

Download
memory/1444-55-0x0000000000000000-mapping.dmp

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads