Overview

overview

7

Static

static

1

TP165DemoSetup.exe

windows7-x64

7

TP165DemoSetup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    14/04/2023, 17:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    TP165DemoSetup.exe

  • Size

    1.0MB

  • MD5

    1fae5897048b82a979d01a59d85c0f6a

  • SHA1

    9c459457c3c5d8446639f5c6fcdf5ca9f9fb4f64

  • SHA256

    a5e422d1a6fbe9813c6d8001dcb7365febc7e0f59f94578be0e0768632056143

  • SHA512

    955ed1de0b4678246fef288616e127bcd818f1edd3979871ca1301d5b39c236d89ce01d8bc48d96ea74a3b81c9ac90b5254a81aba475235de862a855eab8d6fc

  • SSDEEP

    24576:i20oVoGTTK+PEQ3+jUGbkIASNQgJVKrhfIw1U/17+xnccYWnL:i2RTTAubmkI5Qg6tf7scv

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Local\Temp\is-C7R79.tmp\TP165DemoSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-C7R79.tmp\TP165DemoSetup.tmp" /SL5="$D0062,790253,54272,C:\Users\Admin\AppData\Local\Temp\TP165DemoSetup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Program Files (x86)\TrackPower\TrackPower.exe
        "C:\Program Files (x86)\TrackPower\TrackPower.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:1528

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\TrackPower\Lexicorvm.TMX
          Filesize

          12KB

          MD5

          c3447447d93305564b719aad58282ec9

          SHA1

          c8fcd51f14051ee1f1b052858fa2bf080b72d3b7

          SHA256

          3d6d30895300fe7f891af419ef3b4b2bad3742a37dc72c4e38105043da73f8a7

          SHA512

          3f824e7f1c5024ac6bcd02379efc991c49e99f74c996b3511c4c99c8afe28a532119d115375eb7f5cdc368ea68f2a1e62eedb448549fe759e3af41c98ab786b8

          Download Submit

        • C:\Program Files (x86)\TrackPower\Settings.TMX
          Filesize

          75B

          MD5

          58ff7a2ff096e892beff44a9018d9518

          SHA1

          d9725826ab1bb9b117ce8f10d334449949bf7d3b

          SHA256

          72e5c4b3711561ed66a3b35f0ff954408acd96f7cc89f863370750a89b122093

          SHA512

          d438bac3896e9637922fb170e9e2b51d9904777ed0df99a45f369c05b07369ecd4ef53d58234d291927150e3b7c110d5ad7265ec87061740a3e114e31fb319a4

          Download Submit

        • C:\Program Files (x86)\TrackPower\TrackPower.exe
          Filesize

          2.5MB

          MD5

          558233df96116fbccb7a4ca1e749b2e1

          SHA1

          d7b3683bdb17fba75bd77d5243e4bc579510204f

          SHA256

          de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

          SHA512

          3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

          Download Submit

        • C:\Program Files (x86)\TrackPower\TrackPower.exe
          Filesize

          2.5MB

          MD5

          558233df96116fbccb7a4ca1e749b2e1

          SHA1

          d7b3683bdb17fba75bd77d5243e4bc579510204f

          SHA256

          de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

          SHA512

          3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

          Download Submit

        • C:\Program Files (x86)\TrackPower\TrackPower.exe
          Filesize

          2.5MB

          MD5

          558233df96116fbccb7a4ca1e749b2e1

          SHA1

          d7b3683bdb17fba75bd77d5243e4bc579510204f

          SHA256

          de8e700a7131493883cd0d6faa77e4bda9ae7dbb4290369ec0ccbaf11e5bb440

          SHA512

          3e9f802d71b87bc2984ca1aec8b22cb8cdb25b58e8388a3b41a66f91a3b77e4ef59cdc8ed716fc1f2a56e23c5eb653ab508dd378069f21635ad1e3eaf2372f81

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-C7R79.tmp\TP165DemoSetup.tmp
          Filesize

          683KB

          MD5

          278fe635c9715df4aaa5a1ede7fb6055

          SHA1

          04db150375043088aed618cb3cae41822407f583

          SHA256

          e783ad0432ac41daef6153a3934fa59553cc275a895faf7d829a4b94195bacda

          SHA512

          777b40cc30690478104fe1104ba9a32adc4f22b4c6cabe757dd6ba688cba2fcb24c303cef9538261e15b04c3f501882285cb3a21bdf18e37b78a6c433dd8331f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-C7R79.tmp\TP165DemoSetup.tmp
          Filesize

          683KB

          MD5

          278fe635c9715df4aaa5a1ede7fb6055

          SHA1

          04db150375043088aed618cb3cae41822407f583

          SHA256

          e783ad0432ac41daef6153a3934fa59553cc275a895faf7d829a4b94195bacda

          SHA512

          777b40cc30690478104fe1104ba9a32adc4f22b4c6cabe757dd6ba688cba2fcb24c303cef9538261e15b04c3f501882285cb3a21bdf18e37b78a6c433dd8331f

          Download Submit

        • memory/1188-194-0x0000000000400000-0x00000000004BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/1188-156-0x0000000000400000-0x00000000004BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/1188-141-0x0000000000400000-0x00000000004BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/1188-201-0x0000000000400000-0x00000000004BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/1188-139-0x0000000000690000-0x0000000000691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1528-205-0x00000000026B0000-0x00000000026B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1528-206-0x0000000000400000-0x00000000007B8000-memory.dmp

          Filesize

          3.7MB

          Download

        • memory/1528-207-0x00000000026B0000-0x00000000026B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5060-133-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/5060-140-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/5060-202-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download