a5e422d1a6fbe9813c6d8001dcb7365febc7e0f59f94578be0e0768632056143

Analysis

max time kernel
135s
max time network
41s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
14/04/2023, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TP165DemoSetup.exe
Size

1.0MB
MD5

1fae5897048b82a979d01a59d85c0f6a
SHA1

9c459457c3c5d8446639f5c6fcdf5ca9f9fb4f64
SHA256

a5e422d1a6fbe9813c6d8001dcb7365febc7e0f59f94578be0e0768632056143
SHA512

955ed1de0b4678246fef288616e127bcd818f1edd3979871ca1301d5b39c236d89ce01d8bc48d96ea74a3b81c9ac90b5254a81aba475235de862a855eab8d6fc
SSDEEP

24576:i20oVoGTTK+PEQ3+jUGbkIASNQgJVKrhfIw1U/17+xnccYWnL:i2RTTAubmkI5Qg6tf7scv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1032	TP165DemoSetup.tmp
1904	TrackPower.exe

Loads dropped DLL 7 IoCs

pid	Process
1080	TP165DemoSetup.exe
1032	TP165DemoSetup.tmp
1032	TP165DemoSetup.tmp
1032	TP165DemoSetup.tmp
1032	TP165DemoSetup.tmp
1032	TP165DemoSetup.tmp
1032	TP165DemoSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TrackPower\is-O4R2H.tmp	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-HLOPC.tmp	TP165DemoSetup.tmp
File opened for modification	C:\Program Files (x86)\TrackPower\unins000.dat	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-EVR0I.tmp	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-SP679.tmp	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-SRLTQ.tmp	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-M5U4F.tmp	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-6OH1K.tmp	TP165DemoSetup.tmp
File opened for modification	C:\Program Files (x86)\TrackPower\Stock.TMX	TrackPower.exe
File created	C:\Program Files (x86)\TrackPower\unins000.dat	TP165DemoSetup.tmp
File created	C:\Program Files (x86)\TrackPower\is-ONV74.tmp	TP165DemoSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\shell\open\command	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.TMX	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\ = "TrackPower Settings File"	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\DefaultIcon	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\shell\open\command\ = "\"C:\\Program Files (x86)\\TrackPower\\TrackPower.EXE\" \"%1\""	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\ = "TrackPower Circuit File"	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\DefaultIcon\ = "\"C:\\Program Files (x86)\\TrackPower\\Circuit.ico\""	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\shell\open	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.TMX\ = "TrackPowerSettings"	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\DefaultIcon\ = "\"C:\\Program Files (x86)\\TrackPower\\Settings.ico\""	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\shell\open	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\DefaultIcon	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.TPC\ = "TrackPowerCircuit"	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\shell	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\shell\open\command	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.TPC	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings	TP165DemoSetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerSettings\shell	TP165DemoSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TrackPowerCircuit\shell\open\command\ = "\"C:\\Program Files (x86)\\TrackPower\\TrackPower.EXE\" \"%1\""	TP165DemoSetup.tmp

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1032	TP165DemoSetup.tmp
1904	TrackPower.exe
1904	TrackPower.exe
1904	TrackPower.exe
1904	TrackPower.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1080 wrote to memory of 1032	1080	TP165DemoSetup.exe	28
PID 1032 wrote to memory of 1904	1032	TP165DemoSetup.tmp	30
PID 1032 wrote to memory of 1904	1032	TP165DemoSetup.tmp	30
PID 1032 wrote to memory of 1904	1032	TP165DemoSetup.tmp	30
PID 1032 wrote to memory of 1904	1032	TP165DemoSetup.tmp	30

C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe
"C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\is-M441U.tmp\TP165DemoSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M441U.tmp\TP165DemoSetup.tmp" /SL5="$70132,790253,54272,C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files (x86)\TrackPower\TrackPower.exe
    "C:\Program Files (x86)\TrackPower\TrackPower.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TrackPower\Lexicorvm.TMX

Filesize
12KB

MD5
c3447447d93305564b719aad58282ec9

SHA1
c8fcd51f14051ee1f1b052858fa2bf080b72d3b7

SHA256
3d6d30895300fe7f891af419ef3b4b2bad3742a37dc72c4e38105043da73f8a7

SHA512
3f824e7f1c5024ac6bcd02379efc991c49e99f74c996b3511c4c99c8afe28a532119d115375eb7f5cdc368ea68f2a1e62eedb448549fe759e3af41c98ab786b8

Download Submit
C:\Program Files (x86)\TrackPower\Settings.TMX

Filesize
75B

MD5
58ff7a2ff096e892beff44a9018d9518

SHA1
d9725826ab1bb9b117ce8f10d334449949bf7d3b

SHA256
72e5c4b3711561ed66a3b35f0ff954408acd96f7cc89f863370750a89b122093

SHA512
d438bac3896e9637922fb170e9e2b51d9904777ed0df99a45f369c05b07369ecd4ef53d58234d291927150e3b7c110d5ad7265ec87061740a3e114e31fb319a4

Download Submit
C:\Program Files (x86)\TrackPower\TrackPower.exe

Filesize
2.5MB

MD5
558233df96116fbccb7a4ca1e749b2e1

SHA1
d7b3683bdb17fba75bd77d5243e4bc579510204f

SHA256
de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

SHA512
3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

Download Submit
C:\Program Files (x86)\TrackPower\TrackPower.exe

Filesize
2.5MB

MD5
558233df96116fbccb7a4ca1e749b2e1

SHA1
d7b3683bdb17fba75bd77d5243e4bc579510204f

SHA256
de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

SHA512
3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M441U.tmp\TP165DemoSetup.tmp

Filesize
683KB

MD5
278fe635c9715df4aaa5a1ede7fb6055

SHA1
04db150375043088aed618cb3cae41822407f583

SHA256
e783ad0432ac41daef6153a3934fa59553cc275a895faf7d829a4b94195bacda

SHA512
777b40cc30690478104fe1104ba9a32adc4f22b4c6cabe757dd6ba688cba2fcb24c303cef9538261e15b04c3f501882285cb3a21bdf18e37b78a6c433dd8331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M441U.tmp\TP165DemoSetup.tmp

Filesize
683KB

MD5
278fe635c9715df4aaa5a1ede7fb6055

SHA1
04db150375043088aed618cb3cae41822407f583

SHA256
e783ad0432ac41daef6153a3934fa59553cc275a895faf7d829a4b94195bacda

SHA512
777b40cc30690478104fe1104ba9a32adc4f22b4c6cabe757dd6ba688cba2fcb24c303cef9538261e15b04c3f501882285cb3a21bdf18e37b78a6c433dd8331f

Download Submit
\Program Files (x86)\TrackPower\TrackPower.exe

Filesize
2.5MB

MD5
558233df96116fbccb7a4ca1e749b2e1

SHA1
d7b3683bdb17fba75bd77d5243e4bc579510204f

SHA256
de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

SHA512
3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

Download Submit
\Program Files (x86)\TrackPower\TrackPower.exe

Filesize
2.5MB

MD5
558233df96116fbccb7a4ca1e749b2e1

SHA1
d7b3683bdb17fba75bd77d5243e4bc579510204f

SHA256
de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

SHA512
3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

Download Submit
\Program Files (x86)\TrackPower\TrackPower.exe

Filesize
2.5MB

MD5
558233df96116fbccb7a4ca1e749b2e1

SHA1
d7b3683bdb17fba75bd77d5243e4bc579510204f

SHA256
de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

SHA512
3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

Download Submit
\Program Files (x86)\TrackPower\unins000.exe

Filesize
695KB

MD5
ad227bfc1bd4afabb036941330385533

SHA1
c9328f5f391975fdfb22ca89983a26b7ac8c879f

SHA256
1e070dce6e537848dba73f752aa7ac17fddd9cdaadd8eee8f70460364fcb4b5e

SHA512
311e722f202070bcf72e1dab1c19eb85112c06e6bbeca76f5fa8076682851a40248cea5856ae99e0e3a689f397fc31143a9961f99b59bda6a40711a06693fb13

Download Submit
\Users\Admin\AppData\Local\Temp\is-5GI5R.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5GI5R.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-M441U.tmp\TP165DemoSetup.tmp

Filesize
683KB

MD5
278fe635c9715df4aaa5a1ede7fb6055

SHA1
04db150375043088aed618cb3cae41822407f583

SHA256
e783ad0432ac41daef6153a3934fa59553cc275a895faf7d829a4b94195bacda

SHA512
777b40cc30690478104fe1104ba9a32adc4f22b4c6cabe757dd6ba688cba2fcb24c303cef9538261e15b04c3f501882285cb3a21bdf18e37b78a6c433dd8331f

Download Submit
memory/1032-62-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1032-76-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1032-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1032-72-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1032-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1032-124-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1080-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-125-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1904-127-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1904-129-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1904-130-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1904-134-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1904-135-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1904-136-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1904-137-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1904-139-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download