6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e

Analysis

max time kernel
185s
max time network
117s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
Size

228KB
MD5

405c3d85822fda505005f503c692be9a
SHA1

244083d167dbc958422a63480b0e8470bb754701
SHA256

6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e
SHA512

3b818d098521c76ab43c6daf31cff098aba6d3b39820a0226201f499aea48ea79874da31e9fd37cca169dca4a259a5c2675c0c37c91ed334af20bea644518d8b
SSDEEP

6144:+m/w3PFKs7aFwKWwalhrEqxF6snji81RUinKZHg/MF:+m/qPhAmZIH+C

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tnmuem.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe

Executes dropped EXE 1 IoCs

pid	Process
568	tnmuem.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /w"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /t"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /h"	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /a"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /x"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /v"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /r"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /f"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /e"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /s"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /j"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /b"	tnmuem.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /q"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /h"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /p"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /m"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /d"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /k"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /z"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /l"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /o"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /g"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /y"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /c"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /n"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /i"	tnmuem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\tnmuem = "C:\\Users\\Admin\\tnmuem.exe /u"	tnmuem.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe
568	tnmuem.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
568	tnmuem.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 568	1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe	28
PID 1744 wrote to memory of 568	1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe	28
PID 1744 wrote to memory of 568	1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe	28
PID 1744 wrote to memory of 568	1744	6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe	28

C:\Users\Admin\AppData\Local\Temp\6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe
"C:\Users\Admin\AppData\Local\Temp\6c894f3c2397870fdbef69a3956c5fd52dc8655be5b78fa128cee62ee3cb136e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\tnmuem.exe
  "C:\Users\Admin\tnmuem.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tnmuem.exe

Filesize
228KB

MD5
f368be6e5d10e85851e7e05e51beb4ff

SHA1
5f9c2d508d33a35eed3694fcbec0fcc0bd352730

SHA256
9da574a505fb1aa77955e3840dfad5a69ea2912e88fe8f2a0ec1d737ad1fa68d

SHA512
f1c081e35239923807cccb17c8a6097b0d18a4ed96a3c674b6d4a03ac077264b632f4db12c6b08af6ed8c34fd8026cb51789cf6d5668c980ddbaec1b163a1d27

Download Submit
C:\Users\Admin\tnmuem.exe

Filesize
228KB

MD5
f368be6e5d10e85851e7e05e51beb4ff

SHA1
5f9c2d508d33a35eed3694fcbec0fcc0bd352730

SHA256
9da574a505fb1aa77955e3840dfad5a69ea2912e88fe8f2a0ec1d737ad1fa68d

SHA512
f1c081e35239923807cccb17c8a6097b0d18a4ed96a3c674b6d4a03ac077264b632f4db12c6b08af6ed8c34fd8026cb51789cf6d5668c980ddbaec1b163a1d27

Download Submit
\Users\Admin\tnmuem.exe

Filesize
228KB

MD5
f368be6e5d10e85851e7e05e51beb4ff

SHA1
5f9c2d508d33a35eed3694fcbec0fcc0bd352730

SHA256
9da574a505fb1aa77955e3840dfad5a69ea2912e88fe8f2a0ec1d737ad1fa68d

SHA512
f1c081e35239923807cccb17c8a6097b0d18a4ed96a3c674b6d4a03ac077264b632f4db12c6b08af6ed8c34fd8026cb51789cf6d5668c980ddbaec1b163a1d27

Download Submit
\Users\Admin\tnmuem.exe

Filesize
228KB

MD5
f368be6e5d10e85851e7e05e51beb4ff

SHA1
5f9c2d508d33a35eed3694fcbec0fcc0bd352730

SHA256
9da574a505fb1aa77955e3840dfad5a69ea2912e88fe8f2a0ec1d737ad1fa68d

SHA512
f1c081e35239923807cccb17c8a6097b0d18a4ed96a3c674b6d4a03ac077264b632f4db12c6b08af6ed8c34fd8026cb51789cf6d5668c980ddbaec1b163a1d27

Download Submit
memory/1744-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download