7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

General

Target

7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
Size

1.2MB
MD5

956972e02044d5255ba631548fab1415
SHA1

589ba5d773b4eb338f62e5839838f4f15cae5255
SHA256

7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77
SHA512

5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19
SSDEEP

12288:8GKvjzGASyZ6OENzf8s+y0EMc/4mxooBxXXlDKGKvjzGASyZ6OENzf8s+y0EMc/8:NJZTJZe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

TTravelerx.exe

pid process

736 TTravelerx.exe

pid	process
736	TTravelerx.exe

Drops startup file 2 IoCs

Processes:

7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5048 taskkill.exe
4968 taskkill.exe

pid	process
5048	taskkill.exe
4968	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

TTravelerx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	TTravelerx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	TTravelerx.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	TTravelerx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	TTravelerx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4968 taskkill.exe
Token: SeDebugPrivilege 5048 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exeTTravelerx.exe

pid	process
1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
736	TTravelerx.exe
736	TTravelerx.exe
736	TTravelerx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exeTTravelerx.exe

description	pid	process	target process
PID 1952 wrote to memory of 4968	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	taskkill.exe
PID 1952 wrote to memory of 4968	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	taskkill.exe
PID 1952 wrote to memory of 4968	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	taskkill.exe
PID 1952 wrote to memory of 3308	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	cmd.exe
PID 1952 wrote to memory of 3308	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	cmd.exe
PID 1952 wrote to memory of 3308	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	cmd.exe
PID 1952 wrote to memory of 736	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	TTravelerx.exe
PID 1952 wrote to memory of 736	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	TTravelerx.exe
PID 1952 wrote to memory of 736	1952	7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe	TTravelerx.exe
PID 736 wrote to memory of 5048	736	TTravelerx.exe	taskkill.exe
PID 736 wrote to memory of 5048	736	TTravelerx.exe	taskkill.exe
PID 736 wrote to memory of 5048	736	TTravelerx.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe
"C:\Users\Admin\AppData\Local\Temp\7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TTraveler.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Icon_1.ico
  2⤵
  PID:3308
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im TTraveler.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe

Filesize
1.2MB

MD5
956972e02044d5255ba631548fab1415

SHA1
589ba5d773b4eb338f62e5839838f4f15cae5255

SHA256
7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

SHA512
5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TTravelerx.exe

Filesize
1.2MB

MD5
956972e02044d5255ba631548fab1415

SHA1
589ba5d773b4eb338f62e5839838f4f15cae5255

SHA256
7037426109cf9e87a56dc4807dbe9981a6ce63071873e3180acdb7402c4a7b77

SHA512
5aa928d14c01462d68a35cf45643d0364b336379dff15c5867a33dab0bea04481f6d848e5553dc872fb6e20a51e2e3e2c4a6a4fe37a470c72686959d0a3fac19

Download Submit
memory/736-136-0x0000000000000000-mapping.dmp

Download
memory/3308-135-0x0000000000000000-mapping.dmp

Download
memory/4968-134-0x0000000000000000-mapping.dmp

Download
memory/5048-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads