8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3

Analysis

max time kernel
263s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe
Size

135KB
MD5

518a2c56294764404a2f7129e7ca69f0
SHA1

fe0560e4a6774be4ec42b3f9613c30af56edbc1c
SHA256

8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3
SHA512

85e884faf29dbc4e227892ee9a3fe1539c3e525a54a20e52762eb9b9939cf4928d5a65458abd2db19009fe0f5a77d16c39f4638dd62f63db0b6f6af930bdb54b
SSDEEP

3072:7Z65Cm/c3VsweCeXRzeSeVeEe0eDQ8jrTrd:t4Hc3VsZR3Q8jrTr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tmkop.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	tmkop.exe

Loads dropped DLL 2 IoCs

pid	Process
656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe
656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tmkop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmkop = "C:\\Users\\Admin\\tmkop.exe"	tmkop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe
2008	tmkop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe
2008	tmkop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 2008	656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe	28
PID 656 wrote to memory of 2008	656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe	28
PID 656 wrote to memory of 2008	656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe	28
PID 656 wrote to memory of 2008	656	8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe	28
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15
PID 2008 wrote to memory of 656	2008	tmkop.exe	15

C:\Users\Admin\AppData\Local\Temp\8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe
"C:\Users\Admin\AppData\Local\Temp\8df0745626904fc9ff5af58d3f0da4fa8b453332c8ee799f5dd8a446af31b9a3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\tmkop.exe
  "C:\Users\Admin\tmkop.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tmkop.exe

Filesize
135KB

MD5
32f315308512e0535c14985ae5587dc7

SHA1
83bfdf9ff5b09656ca3eda26f14c5c2dd98e1e2d

SHA256
16e7030039b33229bec743f524b4b31a625ca115747fdc918e9485550749a799

SHA512
aa848eefd208c49ee7f61b72bce804ded0f5fb1219a1ea07706320b2d3e977e0b5209d74046a44da6c84e88ba9fb05f9cf8fd797e5aa4d9dd3d5bcdc5870a287

Download Submit
C:\Users\Admin\tmkop.exe

Filesize
135KB

MD5
32f315308512e0535c14985ae5587dc7

SHA1
83bfdf9ff5b09656ca3eda26f14c5c2dd98e1e2d

SHA256
16e7030039b33229bec743f524b4b31a625ca115747fdc918e9485550749a799

SHA512
aa848eefd208c49ee7f61b72bce804ded0f5fb1219a1ea07706320b2d3e977e0b5209d74046a44da6c84e88ba9fb05f9cf8fd797e5aa4d9dd3d5bcdc5870a287

Download Submit
\Users\Admin\tmkop.exe

Filesize
135KB

MD5
32f315308512e0535c14985ae5587dc7

SHA1
83bfdf9ff5b09656ca3eda26f14c5c2dd98e1e2d

SHA256
16e7030039b33229bec743f524b4b31a625ca115747fdc918e9485550749a799

SHA512
aa848eefd208c49ee7f61b72bce804ded0f5fb1219a1ea07706320b2d3e977e0b5209d74046a44da6c84e88ba9fb05f9cf8fd797e5aa4d9dd3d5bcdc5870a287

Download Submit
\Users\Admin\tmkop.exe

Filesize
135KB

MD5
32f315308512e0535c14985ae5587dc7

SHA1
83bfdf9ff5b09656ca3eda26f14c5c2dd98e1e2d

SHA256
16e7030039b33229bec743f524b4b31a625ca115747fdc918e9485550749a799

SHA512
aa848eefd208c49ee7f61b72bce804ded0f5fb1219a1ea07706320b2d3e977e0b5209d74046a44da6c84e88ba9fb05f9cf8fd797e5aa4d9dd3d5bcdc5870a287

Download Submit
memory/656-56-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/2008-59-0x0000000000000000-mapping.dmp

Download