739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
Size

536KB
MD5

35c62921f6d6b930053b6cbb32d48a24
SHA1

15ba18d0e71a05fa47c149d9427f05c10236cd2f
SHA256

739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316
SHA512

cb7c3ea83fb8b22fae94b2fa9e7e19cea101dd24815c2729cf2465dbe484740df75c2a9680700c0f94aa24ba37c32a40625a8252b0aaaa6a0cea2a8e82b0323c
SSDEEP

12288:2Qab4j0WxHHxvgZ5Debn9XdvVYf8tn5+qqheFgOkx2LIa:Tvj0oxv2Dezv/tx3yOkx2LF

Score

10^/10

upx vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2788 created 632	2788	Explorer.EXE	18

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\HPNZ5Xgb.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\EM706g3o2krbr4.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\9ZTIwL2ZUAe7w.wqm	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\yGz6mnW6Zay4o1.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\smIDtQYGM5.fan	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\BV9TCaIOSy.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\qW3zggPnj3R.oeo	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\1zmHEl9LEMCJ.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\drivers\gw7Budl6Od.wjm	tcmsetup.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	tcmsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2116-0-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/2116-20-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/2116-33-0x0000000000960000-0x0000000000A62000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000a000000023258-104.dat	vmprotect
behavioral2/files/0x0018000000023258-164.dat	vmprotect
behavioral2/files/0x0025000000023258-220.dat	vmprotect
behavioral2/files/0x0033000000023258-276.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LONSORiXvib.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tcmsetup.exe
File created	C:\Windows\system32\ \Windows\System32\r292I24.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tcmsetup.exe
File opened for modification	C:\Windows\system32\gsIcV64v9Oih.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tcmsetup.exe
File opened for modification	C:\Windows\system32\eaQUt82zh00M.plo	tcmsetup.exe
File opened for modification	C:\Windows\system32\hY2K2EZNWcVU.yvj	tcmsetup.exe
File opened for modification	C:\Windows\system32\RKeISnZXS2KKX.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tcmsetup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tcmsetup.exe
File opened for modification	C:\Windows\system32\NLTg5hpn9VZ.sys	tcmsetup.exe
File opened for modification	C:\Windows\system32\rYqqZNQWFZaPOM.hmm	tcmsetup.exe
File opened for modification	C:\Windows\system32\eqAVGFIFulfEI.gve	tcmsetup.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\llMsVxaDEE5.zmb	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\TEANucue2gWvK.sys	tcmsetup.exe
File opened for modification	C:\Program Files\Windows Portable Devices\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\o1qB3uVk86SzFR.sys	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\itmmc5DtIFGukv.dof	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\OqLVkt38X4w.sys	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\EwwhsISGlTrDe.dqd	tcmsetup.exe
File opened for modification	C:\Program Files\MSBuild\47bc736f.html	tcmsetup.exe
File opened for modification	C:\Program Files\MSBuild\56155752.js	tcmsetup.exe
File opened for modification	C:\Program Files\MSBuild\lib\646e3b35.js	tcmsetup.exe
File opened for modification	C:\Program Files\Windows Portable Devices\39639084.js	Explorer.EXE
File opened for modification	C:\Program Files\Ih9Jot3Cak.tys	tcmsetup.exe
File opened for modification	C:\Program Files\jEj7jNo5q8rdbj.sys	tcmsetup.exe
File opened for modification	C:\Program Files\hGKOK2rcQYMS.sys	tcmsetup.exe
File opened for modification	C:\Program Files\5kjWKPjEnB9jPF.exs	tcmsetup.exe
File opened for modification	C:\Program Files\MSBuild\manifest.json	tcmsetup.exe
File opened for modification	C:\Program Files\Windows Portable Devices\47bc74a5.html	Explorer.EXE
File opened for modification	C:\Program Files\Windows Portable Devices\561558c6.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\QOum53oghEQa7X.sys	tcmsetup.exe
File opened for modification	C:\Program Files\me0Tpvj1W8Crhk.jip	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\Fwmkw0HQ0HR.rgl	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\0VXuBvaT6sMho.sys	tcmsetup.exe
File opened for modification	C:\Program Files (x86)\OEm2Myl3nu9kC.cfa	tcmsetup.exe
File opened for modification	C:\Program Files\MSBuild\39638f8c.js	tcmsetup.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lib\646e3ce7.js	Explorer.EXE
File opened for modification	C:\Program Files\9wIRFr38dr.sys	tcmsetup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bWvdaIgfMlJY.sys	tcmsetup.exe
File opened for modification	C:\Windows\HyKOTGjsiVDwT.oeq	tcmsetup.exe
File opened for modification	C:\Windows\pRo1KjMuM9ZP.sys	tcmsetup.exe
File opened for modification	C:\Windows\qtSSxWraRDrHuH.gaw	tcmsetup.exe
File created	C:\Windows\Logs\tcmsetup.exe	Explorer.EXE
File opened for modification	C:\Windows\0eoaFv3paM.sys	tcmsetup.exe
File opened for modification	C:\Windows\r8aZ4tmklup.sys	tcmsetup.exe
File opened for modification	C:\Windows\QbWpJg12aozTH.nax	tcmsetup.exe
File opened for modification	C:\Windows\Logs\tcmsetup.exe	Explorer.EXE
File created	C:\Windows\AMYzLt.sys	tcmsetup.exe
File opened for modification	C:\Windows\owU1zymHQMf.cjv	tcmsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3860	timeout.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tcmsetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tcmsetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tcmsetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	manage-bde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	manage-bde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	manage-bde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tcmsetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tcmsetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tcmsetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tcmsetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tcmsetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe
5044	tcmsetup.exe
1512	manage-bde.exe
1512	manage-bde.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe
5044	tcmsetup.exe
5044	tcmsetup.exe
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe
2788	Explorer.EXE
2788	Explorer.EXE
2788	Explorer.EXE
5044	tcmsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
Token: SeTcbPrivilege	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
Token: SeDebugPrivilege	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeTcbPrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeShutdownPrivilege	2788	Explorer.EXE
Token: SeCreatePagefilePrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeBackupPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	5044	tcmsetup.exe
Token: SeDebugPrivilege	2788	Explorer.EXE
Token: SeBackupPrivilege	2788	Explorer.EXE
Token: SeDebugPrivilege	336	dwm.exe
Token: SeBackupPrivilege	336	dwm.exe
Token: SeShutdownPrivilege	336	dwm.exe
Token: SeCreatePagefilePrivilege	336	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2788	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	55
PID 2116 wrote to memory of 2788	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	55
PID 2116 wrote to memory of 2788	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	55
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 5044	2788	Explorer.EXE	81
PID 2788 wrote to memory of 632	2788	Explorer.EXE	18
PID 2788 wrote to memory of 632	2788	Explorer.EXE	18
PID 2788 wrote to memory of 632	2788	Explorer.EXE	18
PID 2788 wrote to memory of 632	2788	Explorer.EXE	18
PID 2788 wrote to memory of 632	2788	Explorer.EXE	18
PID 2116 wrote to memory of 3600	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	85
PID 2116 wrote to memory of 3600	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	85
PID 2116 wrote to memory of 3600	2116	739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe	85
PID 3600 wrote to memory of 3860	3600	cmd.exe	88
PID 3600 wrote to memory of 3860	3600	cmd.exe	88
PID 3600 wrote to memory of 3860	3600	cmd.exe	88
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 1512	5044	tcmsetup.exe	92
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55
PID 5044 wrote to memory of 2788	5044	tcmsetup.exe	55

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\Logs\tcmsetup.exe
  "C:\Windows\Logs\tcmsetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\manage-bde.exe
    "C:\Windows\system32\manage-bde.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1512

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe
  "C:\Users\Admin\AppData\Local\Temp\739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\739a38ab9a9ff169ad806fe52affb72995ce8944d2e9a42dfd91e41bffcec316.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\0eoaFv3paM.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\Logs\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Windows\Logs\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Windows\bWvdaIgfMlJY.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\pRo1KjMuM9ZP.sys

Filesize
415KB

MD5
f27b51c7f0110db4f3c5268c5c893bb9

SHA1
d572dea34ab779a0f43b874aad6d71ced2d5a362

SHA256
ef255a1275ca893238c44a69e57e20899a95a307b9423e237b6e09eedd8616d1

SHA512
43becb09fda3b3ef4a1f46bcb257262dcd41093e53dd82e82d2bd7b00a25715fbe8794efb365f94ca1749874fb8329592400311a52ff8daa58e1557396f77ac7

Download Submit
C:\Windows\r8aZ4tmklup.sys

Filesize
447KB

MD5
5c06a18dbfa73d12fb2c56e8cd0dbf55

SHA1
a14c798413460da6ad7b04a93ec5a081e2b53616

SHA256
6a8f488f7b7003d39db14e900e62a7cde60561615b6131d4df5ae8f769727594

SHA512
01338f6c32fba83b200fbe565a39f86255232fd32d46a92a2fc303310567eba1edf9729936e026a84cd67adb5125c916ab277b082509041627d0a03a5b94baa0

Download Submit
memory/336-345-0x00000203EC1B0000-0x00000203EC25C000-memory.dmp

Filesize
688KB

Download
memory/336-338-0x00000203EC1B0000-0x00000203EC25C000-memory.dmp

Filesize
688KB

Download
memory/336-340-0x00000203EC270000-0x00000203EC370000-memory.dmp

Filesize
1024KB

Download
memory/336-339-0x00000203EC370000-0x00000203EC371000-memory.dmp

Filesize
4KB

Download
memory/336-346-0x00000203EC270000-0x00000203EC370000-memory.dmp

Filesize
1024KB

Download
memory/632-26-0x000002CEE4640000-0x000002CEE4641000-memory.dmp

Filesize
4KB

Download
memory/632-22-0x000002CEE45E0000-0x000002CEE45E3000-memory.dmp

Filesize
12KB

Download
memory/632-24-0x000002CEE45F0000-0x000002CEE4618000-memory.dmp

Filesize
160KB

Download
memory/632-67-0x000002CEE4640000-0x000002CEE4641000-memory.dmp

Filesize
4KB

Download
memory/632-66-0x000002CEE45F0000-0x000002CEE4618000-memory.dmp

Filesize
160KB

Download
memory/1512-76-0x0000025040AD0000-0x0000025040C76000-memory.dmp

Filesize
1.6MB

Download
memory/1512-75-0x000002503F040000-0x000002503F043000-memory.dmp

Filesize
12KB

Download
memory/1512-92-0x0000025040AD0000-0x0000025040C76000-memory.dmp

Filesize
1.6MB

Download
memory/1512-80-0x0000025040AD0000-0x0000025040C76000-memory.dmp

Filesize
1.6MB

Download
memory/1512-79-0x00007FFDFA470000-0x00007FFDFA480000-memory.dmp

Filesize
64KB

Download
memory/1512-109-0x0000025040AD0000-0x0000025040C76000-memory.dmp

Filesize
1.6MB

Download
memory/2116-33-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/2116-20-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/2116-0-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/2788-25-0x0000000008200000-0x0000000008279000-memory.dmp

Filesize
484KB

Download
memory/2788-5-0x0000000008200000-0x0000000008279000-memory.dmp

Filesize
484KB

Download
memory/2788-47-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2788-40-0x000000000A380000-0x000000000A477000-memory.dmp

Filesize
988KB

Download
memory/2788-337-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2788-335-0x0000000002160000-0x0000000002163000-memory.dmp

Filesize
12KB

Download
memory/2788-323-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2788-322-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2788-4-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/2788-342-0x0000000008EA0000-0x0000000008EA4000-memory.dmp

Filesize
16KB

Download
memory/2788-344-0x0000000008DF0000-0x0000000008E9C000-memory.dmp

Filesize
688KB

Download
memory/2788-2-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/2788-336-0x0000000008DF0000-0x0000000008E9C000-memory.dmp

Filesize
688KB

Download
memory/2788-3-0x0000000008200000-0x0000000008279000-memory.dmp

Filesize
484KB

Download
memory/2788-10-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2788-9-0x000000000A380000-0x000000000A477000-memory.dmp

Filesize
988KB

Download
memory/2788-7-0x0000000002780000-0x0000000002783000-memory.dmp

Filesize
12KB

Download
memory/2788-1-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/2788-85-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/5044-77-0x0000013CD90D0000-0x0000013CD90FE000-memory.dmp

Filesize
184KB

Download
memory/5044-93-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-87-0x0000013CD9390000-0x0000013CD955A000-memory.dmp

Filesize
1.8MB

Download
memory/5044-83-0x0000013CD81D0000-0x0000013CD81D2000-memory.dmp

Filesize
8KB

Download
memory/5044-82-0x0000013CD9560000-0x0000013CD960C000-memory.dmp

Filesize
688KB

Download
memory/5044-116-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-120-0x0000013CD9560000-0x0000013CD960C000-memory.dmp

Filesize
688KB

Download
memory/5044-130-0x0000013CD81D0000-0x0000013CD81D2000-memory.dmp

Filesize
8KB

Download
memory/5044-78-0x0000013CD81E0000-0x0000013CD8297000-memory.dmp

Filesize
732KB

Download
memory/5044-73-0x0000013CD9390000-0x0000013CD955A000-memory.dmp

Filesize
1.8MB

Download
memory/5044-72-0x0000013CD82A0000-0x0000013CD82AF000-memory.dmp

Filesize
60KB

Download
memory/5044-71-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-70-0x0000013CD81E0000-0x0000013CD8297000-memory.dmp

Filesize
732KB

Download
memory/5044-324-0x0000013CD82B0000-0x0000013CD82B1000-memory.dmp

Filesize
4KB

Download
memory/5044-325-0x0000013CD82B0000-0x0000013CD82B1000-memory.dmp

Filesize
4KB

Download
memory/5044-326-0x0000013CD80A0000-0x0000013CD80A1000-memory.dmp

Filesize
4KB

Download
memory/5044-327-0x0000013CD80A0000-0x0000013CD80A1000-memory.dmp

Filesize
4KB

Download
memory/5044-330-0x0000013CD80A0000-0x0000013CD80A1000-memory.dmp

Filesize
4KB

Download
memory/5044-331-0x0000013CD80A0000-0x0000013CD80A1000-memory.dmp

Filesize
4KB

Download
memory/5044-334-0x0000013CD80A0000-0x0000013CD80A1000-memory.dmp

Filesize
4KB

Download
memory/5044-69-0x0000013CD81E0000-0x0000013CD81E1000-memory.dmp

Filesize
4KB

Download
memory/5044-68-0x0000013CD80B0000-0x0000013CD80B1000-memory.dmp

Filesize
4KB

Download
memory/5044-65-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-64-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-62-0x0000013CD7EA0000-0x0000013CD7EA1000-memory.dmp

Filesize
4KB

Download
memory/5044-63-0x0000013CD81D0000-0x0000013CD81D1000-memory.dmp

Filesize
4KB

Download
memory/5044-61-0x0000013CD7EC0000-0x0000013CD7F8B000-memory.dmp

Filesize
812KB

Download
memory/5044-60-0x00007FFDED210000-0x00007FFDED220000-memory.dmp

Filesize
64KB

Download
memory/5044-343-0x0000013CD80B0000-0x0000013CD80B1000-memory.dmp

Filesize
4KB

Download
memory/5044-19-0x00007FFDED210000-0x00007FFDED220000-memory.dmp

Filesize
64KB

Download
memory/5044-15-0x0000013CD6450000-0x0000013CD6453000-memory.dmp

Filesize
12KB

Download
memory/5044-18-0x0000013CD7EC0000-0x0000013CD7F8B000-memory.dmp

Filesize
812KB

Download