89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe
Size

330KB
MD5

074b01e83285b20eafc271a3d1fed283
SHA1

b410b0733e6d9adcbf14bcb009235d05465f97ac
SHA256

89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9
SHA512

8cde8e4e7d87367e9df729f3dc662e947cd86b7dfd896d0c4bbccfe25b5bd07ddeee767966673274f43581127c32fa65c6ca07f8b2f17a78255a9fe9c04925a9
SSDEEP

6144:wU1tnxKApiXZcKgGEoi9P7DGXfszPxuRiIdn+:Xtn4A2+KjEL9z6cPxqiC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1392	tiofud.exe

Deletes itself 1 IoCs

pid	Process
364	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	tiofud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Teep\\tiofud.exe"	tiofud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe
1392	tiofud.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe
1392	tiofud.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1148 wrote to memory of 1392	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	27
PID 1392 wrote to memory of 1228	1392	tiofud.exe	12
PID 1392 wrote to memory of 1228	1392	tiofud.exe	12
PID 1392 wrote to memory of 1228	1392	tiofud.exe	12
PID 1392 wrote to memory of 1228	1392	tiofud.exe	12
PID 1392 wrote to memory of 1228	1392	tiofud.exe	12
PID 1392 wrote to memory of 1320	1392	tiofud.exe	13
PID 1392 wrote to memory of 1320	1392	tiofud.exe	13
PID 1392 wrote to memory of 1320	1392	tiofud.exe	13
PID 1392 wrote to memory of 1320	1392	tiofud.exe	13
PID 1392 wrote to memory of 1320	1392	tiofud.exe	13
PID 1392 wrote to memory of 1380	1392	tiofud.exe	14
PID 1392 wrote to memory of 1380	1392	tiofud.exe	14
PID 1392 wrote to memory of 1380	1392	tiofud.exe	14
PID 1392 wrote to memory of 1380	1392	tiofud.exe	14
PID 1392 wrote to memory of 1380	1392	tiofud.exe	14
PID 1392 wrote to memory of 1148	1392	tiofud.exe	26
PID 1392 wrote to memory of 1148	1392	tiofud.exe	26
PID 1392 wrote to memory of 1148	1392	tiofud.exe	26
PID 1392 wrote to memory of 1148	1392	tiofud.exe	26
PID 1392 wrote to memory of 1148	1392	tiofud.exe	26
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28
PID 1148 wrote to memory of 364	1148	89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe
  "C:\Users\Admin\AppData\Local\Temp\89db71a57803f508953c6b95fe74daf698bd9d63ab52c1de438db7252fd2a9d9.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Roaming\Teep\tiofud.exe
    "C:\Users\Admin\AppData\Roaming\Teep\tiofud.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8f36cf4d.bat"
    3⤵
    - Deletes itself
    PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8f36cf4d.bat

Filesize
307B

MD5
09bf0bc71dc62ca6897c112d206ed033

SHA1
8626ee679818fa334506ab0e442eefcd216e5245

SHA256
a5e95c583a3191192e07efe297ce1f8e4582b3fd2d3be608372b2ec764ecb1ca

SHA512
99dab7260858f6cb139642655a131c3cf5b7e9ae2fafb20002de62058537f56ad384bbd2f0eb479f2ac6a182c0b10198b14d8250521349186a1d7b3b81431db8

Download Submit
C:\Users\Admin\AppData\Roaming\Teep\tiofud.exe

Filesize
330KB

MD5
d2a524303725344c6b5c4573877e23a8

SHA1
ecb477beaacea9492e1baeaad5537ea1c26ed091

SHA256
8cf6fa2463b62418615ead0ca9d9cea8d8753bb77961cd3beb23db8d34b201f1

SHA512
ed40fe52ec5468f5e53f52cdbe77b155617dd0c6cbd243e7ef913b5e74ced962ebc7af9256ba9d51a19381645b5a0e343ed767c731a4da214633f1dbdda03787

Download Submit
C:\Users\Admin\AppData\Roaming\Teep\tiofud.exe

Filesize
330KB

MD5
d2a524303725344c6b5c4573877e23a8

SHA1
ecb477beaacea9492e1baeaad5537ea1c26ed091

SHA256
8cf6fa2463b62418615ead0ca9d9cea8d8753bb77961cd3beb23db8d34b201f1

SHA512
ed40fe52ec5468f5e53f52cdbe77b155617dd0c6cbd243e7ef913b5e74ced962ebc7af9256ba9d51a19381645b5a0e343ed767c731a4da214633f1dbdda03787

Download Submit
\Users\Admin\AppData\Roaming\Teep\tiofud.exe

Filesize
330KB

MD5
d2a524303725344c6b5c4573877e23a8

SHA1
ecb477beaacea9492e1baeaad5537ea1c26ed091

SHA256
8cf6fa2463b62418615ead0ca9d9cea8d8753bb77961cd3beb23db8d34b201f1

SHA512
ed40fe52ec5468f5e53f52cdbe77b155617dd0c6cbd243e7ef913b5e74ced962ebc7af9256ba9d51a19381645b5a0e343ed767c731a4da214633f1dbdda03787

Download Submit
memory/364-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-116-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/364-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-94-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/364-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/364-96-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/364-97-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/1148-103-0x0000000001F20000-0x0000000001F75000-memory.dmp

Filesize
340KB

Download
memory/1148-99-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1148-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-82-0x0000000001F20000-0x0000000001F67000-memory.dmp

Filesize
284KB

Download
memory/1148-83-0x0000000001F20000-0x0000000001F67000-memory.dmp

Filesize
284KB

Download
memory/1148-84-0x0000000001F20000-0x0000000001F67000-memory.dmp

Filesize
284KB

Download
memory/1148-85-0x0000000001F20000-0x0000000001F67000-memory.dmp

Filesize
284KB

Download
memory/1148-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-106-0x0000000001F20000-0x0000000001F67000-memory.dmp

Filesize
284KB

Download
memory/1148-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-100-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1228-62-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-65-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-64-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-67-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1228-66-0x0000000001C70000-0x0000000001CB7000-memory.dmp

Filesize
284KB

Download
memory/1320-73-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-70-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-71-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1320-72-0x0000000001B10000-0x0000000001B57000-memory.dmp

Filesize
284KB

Download
memory/1380-76-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-78-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-77-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1380-79-0x00000000025E0000-0x0000000002627000-memory.dmp

Filesize
284KB

Download
memory/1392-101-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1392-102-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1392-117-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download