0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9

Analysis

max time kernel
30s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06/02/2023, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TCPOptimizer.exe
Size

668KB
MD5

d8292150c8ce862a97a923318df07805
SHA1

917f917ff9fe33e199388e5e1d4c0696882d2991
SHA256

0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9
SHA512

3f23dd72d066d3f09a49c5dcf062471cfd412cf65934c25887774c1060d2efa8cb277df5ffb89272c5cb1aab6498e3e82b9d6ec9725b5b7263de60cc9198d475
SSDEEP

6144:h0eD/NMpAte8M0Ic61arFbMAIhTRlDDHbndz+vTEEIeh+b6YzICrz/KiiUy5q7:C1B8g1arhMAURdndzQTEEI7b6Yz3m5W

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3520	PowerShell.exe
3520	PowerShell.exe
1560	PowerShell.exe
1560	PowerShell.exe
224	PowerShell.exe
224	PowerShell.exe
364	PowerShell.exe
364	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3520	PowerShell.exe
Token: SeSecurityPrivilege	3520	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3520	PowerShell.exe
Token: SeLoadDriverPrivilege	3520	PowerShell.exe
Token: SeSystemProfilePrivilege	3520	PowerShell.exe
Token: SeSystemtimePrivilege	3520	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3520	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3520	PowerShell.exe
Token: SeCreatePagefilePrivilege	3520	PowerShell.exe
Token: SeBackupPrivilege	3520	PowerShell.exe
Token: SeRestorePrivilege	3520	PowerShell.exe
Token: SeShutdownPrivilege	3520	PowerShell.exe
Token: SeDebugPrivilege	3520	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3520	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3520	PowerShell.exe
Token: SeUndockPrivilege	3520	PowerShell.exe
Token: SeManageVolumePrivilege	3520	PowerShell.exe
Token: 33	3520	PowerShell.exe
Token: 34	3520	PowerShell.exe
Token: 35	3520	PowerShell.exe
Token: 36	3520	PowerShell.exe
Token: SeDebugPrivilege	1560	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	1560	PowerShell.exe
Token: SeSecurityPrivilege	1560	PowerShell.exe
Token: SeTakeOwnershipPrivilege	1560	PowerShell.exe
Token: SeLoadDriverPrivilege	1560	PowerShell.exe
Token: SeSystemProfilePrivilege	1560	PowerShell.exe
Token: SeSystemtimePrivilege	1560	PowerShell.exe
Token: SeProfSingleProcessPrivilege	1560	PowerShell.exe
Token: SeIncBasePriorityPrivilege	1560	PowerShell.exe
Token: SeCreatePagefilePrivilege	1560	PowerShell.exe
Token: SeBackupPrivilege	1560	PowerShell.exe
Token: SeRestorePrivilege	1560	PowerShell.exe
Token: SeShutdownPrivilege	1560	PowerShell.exe
Token: SeDebugPrivilege	1560	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	1560	PowerShell.exe
Token: SeRemoteShutdownPrivilege	1560	PowerShell.exe
Token: SeUndockPrivilege	1560	PowerShell.exe
Token: SeManageVolumePrivilege	1560	PowerShell.exe
Token: 33	1560	PowerShell.exe
Token: 34	1560	PowerShell.exe
Token: 35	1560	PowerShell.exe
Token: 36	1560	PowerShell.exe
Token: SeDebugPrivilege	224	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	224	PowerShell.exe
Token: SeSecurityPrivilege	224	PowerShell.exe
Token: SeTakeOwnershipPrivilege	224	PowerShell.exe
Token: SeLoadDriverPrivilege	224	PowerShell.exe
Token: SeSystemProfilePrivilege	224	PowerShell.exe
Token: SeSystemtimePrivilege	224	PowerShell.exe
Token: SeProfSingleProcessPrivilege	224	PowerShell.exe
Token: SeIncBasePriorityPrivilege	224	PowerShell.exe
Token: SeCreatePagefilePrivilege	224	PowerShell.exe
Token: SeBackupPrivilege	224	PowerShell.exe
Token: SeRestorePrivilege	224	PowerShell.exe
Token: SeShutdownPrivilege	224	PowerShell.exe
Token: SeDebugPrivilege	224	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	224	PowerShell.exe
Token: SeRemoteShutdownPrivilege	224	PowerShell.exe
Token: SeUndockPrivilege	224	PowerShell.exe
Token: SeManageVolumePrivilege	224	PowerShell.exe
Token: 33	224	PowerShell.exe
Token: 34	224	PowerShell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4392	TCPOptimizer.exe
4392	TCPOptimizer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 788	4392	TCPOptimizer.exe	79
PID 4392 wrote to memory of 788	4392	TCPOptimizer.exe	79
PID 4392 wrote to memory of 788	4392	TCPOptimizer.exe	79
PID 4392 wrote to memory of 948	4392	TCPOptimizer.exe	81
PID 4392 wrote to memory of 948	4392	TCPOptimizer.exe	81
PID 4392 wrote to memory of 3520	4392	TCPOptimizer.exe	83
PID 4392 wrote to memory of 3520	4392	TCPOptimizer.exe	83
PID 4392 wrote to memory of 1560	4392	TCPOptimizer.exe	87
PID 4392 wrote to memory of 1560	4392	TCPOptimizer.exe	87
PID 4392 wrote to memory of 224	4392	TCPOptimizer.exe	89
PID 4392 wrote to memory of 224	4392	TCPOptimizer.exe	89
PID 4392 wrote to memory of 4476	4392	TCPOptimizer.exe	94
PID 4392 wrote to memory of 4476	4392	TCPOptimizer.exe	94
PID 4392 wrote to memory of 364	4392	TCPOptimizer.exe	96
PID 4392 wrote to memory of 364	4392	TCPOptimizer.exe	96

C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\netsh.exe
  netsh int tcp show supplemental
  2⤵
  PID:788
- C:\Windows\SYSTEM32\netsh.exe
  netsh int ip show interfaces
  2⤵
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterLso -Name '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterChecksumOffload '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetTCPSetting -SettingName internet
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\SYSTEM32\netsh.exe
  netsh int tcp show global
  2⤵
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetOffloadGlobalSetting
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ce0cfa81b5669f2e9f62c963d475937

SHA1
b89341f0fba580910c703dca44328d2ebb483692

SHA256
333c9df22b014e78758ffc3a99184cd797c3860cc6b2c4f0c185aa528ad32a57

SHA512
2339a41fada88f54332054b5bcdee49864c36fb52c9d0d5911b9c53406583222c6864562cd35c70634bd658695e9441e34844a5561eee0e956d362bfa242d6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19eb18e5030b06a0f77a380246deedad

SHA1
19ea5fdcea2b5159e9d1504bd8722e1c0d13d278

SHA256
d911c12d31a0182ed713adabb70b0b4ba808b83078c6ee923ede90868f1c0238

SHA512
59bd3593e51bc6f969320188eda128c97f4b14520e9d4621f7065471e1b350e9d9325b79cd38f92928f275b3c047131690f1cc0c0ec31743f417fb33292ecac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
129eace2d61de76167afff65ab64df64

SHA1
2f8cbf8ba79389eef3ae0f1456786ec5ffb027e1

SHA256
92c3b4f79c54d068b6f30d543d1c0ccfd23bc49ca3a0ab91b57f4ea663b7d7cc

SHA512
33bd63f4b1ff3f717834ea63a0d8b30f4e864c97d2c2ac68f7e531ae8e60238884ed45ad1ffca314ae1bf4b043d453505e133bab7341108912fce21bc3663d19

Download Submit
memory/224-150-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/224-152-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/224-151-0x0000015B604F0000-0x0000015B60504000-memory.dmp

Filesize
80KB

Download
memory/364-157-0x00007FFB4B910000-0x00007FFB4C3D1000-memory.dmp

Filesize
10.8MB

Download
memory/364-156-0x00007FFB4B910000-0x00007FFB4C3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-147-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/1560-146-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/3520-137-0x0000021B3E390000-0x0000021B3E3B2000-memory.dmp

Filesize
136KB

Download
memory/3520-136-0x0000021B3E420000-0x0000021B3E4A2000-memory.dmp

Filesize
520KB

Download
memory/3520-142-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/3520-141-0x0000021B3E5B0000-0x0000021B3E5FA000-memory.dmp

Filesize
296KB

Download
memory/3520-140-0x00007FFB4C090000-0x00007FFB4CB51000-memory.dmp

Filesize
10.8MB

Download
memory/3520-139-0x0000021B3E6C0000-0x0000021B3E7C2000-memory.dmp

Filesize
1.0MB

Download
memory/3520-138-0x0000021B23170000-0x0000021B23180000-memory.dmp

Filesize
64KB

Download
memory/4392-133-0x0000000000798000-0x00000000007B4000-memory.dmp

Filesize
112KB

Download