50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoices.lnk
Size

1KB
MD5

cbe684367925c53f7a9026f252011724
SHA1

ec8cf089aa811c009683c8ee4e5183750ef0452e
SHA256

744abbb0d8d00bc5eb058ce47ffffa971c7dbd03a9b204c67284080e99d982da
SHA512

7d06394b39ee7b7c9570307fd1f6349fa440ed3d21f8f1ee67ae35c9b3bacabe214b47830e498e56f2fd51f02de44ec2e1625de21abdce5af5fec69f139fdad0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2316 4796 WerFault.exe tvp.exe
2636 4796 WerFault.exe tvp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	pid_target	process	target process
2316	4796	WerFault.exe	tvp.exe
2636	4796	WerFault.exe	tvp.exe

Modifies registry class 10 IoCs

Processes:

tvp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open	tvp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

tvp.exe

pid process

4796 tvp.exe
4796 tvp.exe
4796 tvp.exe

pid	process
4796	tvp.exe
4796	tvp.exe
4796	tvp.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 1184 wrote to memory of 4836	1184	cmd.exe	explorer.exe
PID 1184 wrote to memory of 4836	1184	cmd.exe	explorer.exe
PID 5116 wrote to memory of 4796	5116	explorer.exe	tvp.exe
PID 5116 wrote to memory of 4796	5116	explorer.exe	tvp.exe
PID 5116 wrote to memory of 4796	5116	explorer.exe	tvp.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoices.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" Res\tvp.exe
  2⤵
  PID:4836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe
  "C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 656
    3⤵
    - Program crash
    PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 664
    3⤵
    - Program crash
    PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4796 -ip 4796
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4796 -ip 4796
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4796-133-0x00000000021D0000-0x00000000021FB000-memory.dmp

Filesize
172KB

Download