fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c

Analysis

max time kernel
179s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Size

218KB
MD5

5a366d62530247bbb7fe6460fc748da0
SHA1

c430642e000fbff14d0e05209085a473d33aaf1f
SHA256

fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c
SHA512

dd08b8d160aecfc2f6937475e058b29b4ab70cf0f5d9ecde56d4dddd297fac8437f5943a7c10f4bbb5ee349911d038003526429aabd3fc04f344969d02645c67
SSDEEP

6144:2TMpSoR/PJ+Ol8uTCnDnxdj24lSZACZK:2WSoR/PJ+OlvqDxR24lSZAd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
532	tsasys.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	tsasys.exe
File opened (read-only)	\??\l:	tsasys.exe
File opened (read-only)	\??\u:	tsasys.exe
File opened (read-only)	\??\g:	tsasys.exe
File opened (read-only)	\??\q:	tsasys.exe
File opened (read-only)	\??\r:	tsasys.exe
File opened (read-only)	\??\t:	tsasys.exe
File opened (read-only)	\??\y:	tsasys.exe
File opened (read-only)	\??\i:	tsasys.exe
File opened (read-only)	\??\k:	tsasys.exe
File opened (read-only)	\??\m:	tsasys.exe
File opened (read-only)	\??\n:	tsasys.exe
File opened (read-only)	\??\w:	tsasys.exe
File opened (read-only)	\??\v:	tsasys.exe
File opened (read-only)	\??\x:	tsasys.exe
File opened (read-only)	\??\e:	tsasys.exe
File opened (read-only)	\??\h:	tsasys.exe
File opened (read-only)	\??\j:	tsasys.exe
File opened (read-only)	\??\o:	tsasys.exe
File opened (read-only)	\??\p:	tsasys.exe
File opened (read-only)	\??\s:	tsasys.exe
File opened (read-only)	\??\z:	tsasys.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\DefaultIcon\ = "%1"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\runas\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand\ = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "oemdrv"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\ = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\DefaultIcon	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\CDRM\\tsasys.exe\" /START \"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\ommand	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\Microsoft\\CDRM\\tsasys.exe\" /START \"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\ommand\IsolatedCommand = "\"%1\" %*"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\ = "Application"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\Content-Type = "application/x-msdownload"	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\open\command	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe
532	tsasys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
532	tsasys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 532	2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	81
PID 2968 wrote to memory of 532	2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	81
PID 2968 wrote to memory of 532	2968	fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe	81

C:\Users\Admin\AppData\Local\Temp\fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe
"C:\Users\Admin\AppData\Local\Temp\fccf98555ca5f1c110163b2d07db2ecf86207b42551e3d31938ebd4e6ec5621c.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\ProgramData\Microsoft\CDRM\tsasys.exe
  C:\ProgramData\Microsoft\CDRM\tsasys.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\CDRM\tsasys.exe

Filesize
218KB

MD5
17f25933170a7646ee020e9c16cb3acf

SHA1
43d5a9cdf2f1324df608ad9fe4185a6e38a7bfce

SHA256
8086e8a1d2fd1ef8cd486c1d4732778d262934c8143f03fe269b5d53a6c37dea

SHA512
2b4d5a5ce89b984602831ad9b17675561da3fcbdf9e4faeb322962b772b3511d3e5f354c9598a1ae0ce4a8edfa0081b507b39fe0de965a080e089f708ba1a8ff

Download Submit
C:\ProgramData\Microsoft\CDRM\tsasys.exe

Filesize
218KB

MD5
17f25933170a7646ee020e9c16cb3acf

SHA1
43d5a9cdf2f1324df608ad9fe4185a6e38a7bfce

SHA256
8086e8a1d2fd1ef8cd486c1d4732778d262934c8143f03fe269b5d53a6c37dea

SHA512
2b4d5a5ce89b984602831ad9b17675561da3fcbdf9e4faeb322962b772b3511d3e5f354c9598a1ae0ce4a8edfa0081b507b39fe0de965a080e089f708ba1a8ff

Download Submit
memory/532-132-0x0000000000000000-mapping.dmp

Download
memory/532-135-0x0000000073840000-0x0000000073879000-memory.dmp

Filesize
228KB

Download