2da16bd4a3990c4db524feecdb41d25884c37ab7891948b957c81109c442c2b0

General

Target

TM5/TM5.exe
Size

32KB
MD5

c5cd49bcf5fc17944383d387638c955e
SHA1

13122d07d828637943ca7e8043f77beca4e76928
SHA256

b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe078b5c54857a16d37d480cc21
SHA512

7bc066b43804dad6b346c375efae121c6047ae37cbf1238b1e54ebd045e90daa55cb0f9db239c9d1ac6bf31bb7a48558658ef70fe3c0492cea278de0f5cbbdc5
SSDEEP

768:0abgunPJRyK4QjjuWnXe784mX3XUVPrRG:0GxPJRyKPuWnOwhX3XUpRG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: 33	3880	TM5.exe
Token: SeIncBasePriorityPrivilege	3880	TM5.exe
Token: 33	4400	TM5.exe
Token: SeIncBasePriorityPrivilege	4400	TM5.exe
Token: 33	216	TM5.exe
Token: SeIncBasePriorityPrivilege	216	TM5.exe
Token: 33	4652	TM5.exe
Token: SeIncBasePriorityPrivilege	4652	TM5.exe
Token: 33	2752	TM5.exe
Token: SeIncBasePriorityPrivilege	2752	TM5.exe
Token: 33	4544	TM5.exe
Token: SeIncBasePriorityPrivilege	4544	TM5.exe
Token: 33	1104	TM5.exe
Token: SeIncBasePriorityPrivilege	1104	TM5.exe
Token: 33	1896	TM5.exe
Token: SeIncBasePriorityPrivilege	1896	TM5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3880	TM5.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4652	3880	TM5.exe	86
PID 3880 wrote to memory of 4652	3880	TM5.exe	86
PID 3880 wrote to memory of 4652	3880	TM5.exe	86
PID 3880 wrote to memory of 4544	3880	TM5.exe	87
PID 3880 wrote to memory of 4544	3880	TM5.exe	87
PID 3880 wrote to memory of 4544	3880	TM5.exe	87
PID 3880 wrote to memory of 1104	3880	TM5.exe	88
PID 3880 wrote to memory of 1104	3880	TM5.exe	88
PID 3880 wrote to memory of 1104	3880	TM5.exe	88
PID 3880 wrote to memory of 1896	3880	TM5.exe	89
PID 3880 wrote to memory of 1896	3880	TM5.exe	89
PID 3880 wrote to memory of 1896	3880	TM5.exe	89
PID 3880 wrote to memory of 2752	3880	TM5.exe	91
PID 3880 wrote to memory of 2752	3880	TM5.exe	91
PID 3880 wrote to memory of 2752	3880	TM5.exe	91
PID 3880 wrote to memory of 216	3880	TM5.exe	92
PID 3880 wrote to memory of 216	3880	TM5.exe	92
PID 3880 wrote to memory of 216	3880	TM5.exe	92
PID 3880 wrote to memory of 4400	3880	TM5.exe	93
PID 3880 wrote to memory of 4400	3880	TM5.exe	93
PID 3880 wrote to memory of 4400	3880	TM5.exe	93

C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
"C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Users\Admin\AppData\Local\Temp\TM5\TM5.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TM5\bin\MT.cfg

Filesize
283B

MD5
3737bf0953128be1bf373c46a96b2b61

SHA1
f968d9fac8994480518aa64cadd7c85e79df94f9

SHA256
00393357723a7734e4c3c1ed3e29fa6a3de0d1d9a9900740e0a765c002f40bcd

SHA512
8fa89f3f95190600643a46784ba23f9247ded4b9153bd3c11c64ea336e74e27b7ab071fa85fe70c9ca3f23b4c6caaf415a8d476ceb28b36bbe1997675c1d2828

Download Submit
C:\Users\Admin\AppData\Local\Temp\TM5\bin\MT.cfg

Filesize
750B

MD5
8899e1794098c521e364f3ca4f42ff72

SHA1
1cc96bbf3056efcd04d42d88623a19f5913cd701

SHA256
3c26fa8140fb192b27e0d091c19b669afdd1606a63e84c63ea4ac2cb39b0b0f8

SHA512
fe854522530136083822c7e5dbb9f2f383e9d106433d0ee1072c5cfa8d94cba90fb655fc166e9815516c38471238afc22b55a013b5325e4b370aa6f02c850805

Download Submit
C:\Users\Admin\AppData\Local\Temp\TM5\bin\MT.cfg

Filesize
1KB

MD5
7d37c97265204a574035b82ccce9d2e4

SHA1
7b6bafb96be8f05633dee64ecf02b838e29c6e08

SHA256
04f885fe97dafa1be7e54d0fc5b5295b9aa7d6b713592ac0dc1f1f41cda577e2

SHA512
1b2fb28402be90e776e2992881d0b1242a90663317f808a39d53e44f17dc05a9fb7bdbd79ceb849cd9713b47132739f9f78146cc01e48d5166615b1f04bfb82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TM5\bin\MT.cfg

Filesize
1KB

MD5
7d37c97265204a574035b82ccce9d2e4

SHA1
7b6bafb96be8f05633dee64ecf02b838e29c6e08

SHA256
04f885fe97dafa1be7e54d0fc5b5295b9aa7d6b713592ac0dc1f1f41cda577e2

SHA512
1b2fb28402be90e776e2992881d0b1242a90663317f808a39d53e44f17dc05a9fb7bdbd79ceb849cd9713b47132739f9f78146cc01e48d5166615b1f04bfb82f

Download Submit
memory/3880-307-0x0000000002C10000-0x0000000002CAB000-memory.dmp

Filesize
620KB

Download
memory/3880-306-0x0000000002B50000-0x0000000002C09000-memory.dmp

Filesize
740KB

Download
memory/3880-308-0x0000000002CB0000-0x0000000002F2E000-memory.dmp

Filesize
2.5MB

Download
memory/3880-309-0x0000000002F30000-0x0000000002F59000-memory.dmp

Filesize
164KB

Download
memory/3880-310-0x0000000002F60000-0x000000000303B000-memory.dmp

Filesize
876KB

Download
memory/3880-311-0x0000000004F60000-0x0000000004FF4000-memory.dmp

Filesize
592KB

Download
memory/3880-356-0x0000000002C10000-0x0000000002CAB000-memory.dmp

Filesize
620KB

Download
memory/3880-355-0x0000000002B50000-0x0000000002C09000-memory.dmp

Filesize
740KB

Download
memory/3880-367-0x0000000002B50000-0x0000000002C09000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing