5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d

General

Target

5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe
Size

4.9MB
MD5

3e977dcb4efb8d3bd95e2211d8161a66
SHA1

acff677b344b348fe1a6944830ca42ddf5c341eb
SHA256

5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d
SHA512

c76c9f47303eff3073542c7c3fe496627280d72eefb608e64f3b5ced92b2670bf39438368458c7b9609c0d16a882beb5ee84896f3a5a15e4eca79bf742b46190
SSDEEP

98304:Rc5LyCUfJ+K0OBvdcTIjudjbaS2mCWk/lS5pXHBN+zkQZMFzriQEQYlE:WzUfJ+K0OHcIjudbh21WQlSvBAEGQYu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
5048	TVCross.exe
5028	TVCross.exe

Loads dropped DLL 3 IoCs

pid	Process
3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.80.147.105

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TVCross\unins000.dat	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-4KBG8.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-BKH79.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-VE317.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-QIMVG.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\UIText\is-I4E56.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\UIText\is-SOB8S.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-UIAR5.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-357LB.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-P9SEQ.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-3SF6P.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-LHC9Q.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\TVCross\unins000.dat	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\TVCross\TVCross.exe	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-FLE8A.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-Q4H1V.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-8UMCC.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-GRGUQ.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
File created	C:\Program Files (x86)\Common Files\TVCross\is-UJIVH.tmp	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3828	4100	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe	84
PID 4100 wrote to memory of 3828	4100	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe	84
PID 4100 wrote to memory of 3828	4100	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe	84
PID 3828 wrote to memory of 3304	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	87
PID 3828 wrote to memory of 3304	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	87
PID 3828 wrote to memory of 3304	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	87
PID 3828 wrote to memory of 5048	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	89
PID 3828 wrote to memory of 5048	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	89
PID 3828 wrote to memory of 5048	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	89
PID 3828 wrote to memory of 2692	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	93
PID 3828 wrote to memory of 2692	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	93
PID 3828 wrote to memory of 2692	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	93
PID 3828 wrote to memory of 5028	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	92
PID 3828 wrote to memory of 5028	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	92
PID 3828 wrote to memory of 5028	3828	5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp	92
PID 2692 wrote to memory of 560	2692	net.exe	94
PID 2692 wrote to memory of 560	2692	net.exe	94
PID 2692 wrote to memory of 560	2692	net.exe	94

C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe
"C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp" /SL5="$401E6,4923723,54272,C:\Users\Admin\AppData\Local\Temp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:3304
- - C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
    "C:\Program Files (x86)\Common Files\TVCross\TVCross.exe" -i
    3⤵
    - Executes dropped EXE
    PID:5048
- - C:\Program Files (x86)\Common Files\TVCross\TVCross.exe
    "C:\Program Files (x86)\Common Files\TVCross\TVCross.exe" -s
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 24
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 24
      4⤵
      PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\TVCross\TVCross.exe

Filesize
4.0MB

MD5
d8fb43a1267e2e61ebab8b3063b234db

SHA1
4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

SHA256
3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

SHA512
5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

Download Submit
C:\Program Files (x86)\Common Files\TVCross\TVCross.exe

Filesize
4.0MB

MD5
d8fb43a1267e2e61ebab8b3063b234db

SHA1
4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

SHA256
3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

SHA512
5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

Download Submit
C:\Program Files (x86)\Common Files\TVCross\TVCross.exe

Filesize
4.0MB

MD5
d8fb43a1267e2e61ebab8b3063b234db

SHA1
4b6cc720b15990c1f1a7b102e5ced7e5ddb11ce0

SHA256
3de538b525674a9412e62cdf89e5fdef96ec06eb1d929e7b9563aff8d49969fb

SHA512
5a849fea034c98abf504da3d69ae1dcea7cd58a65a4ce0048f192f91e465c6a1cabc5716db535b162c68239f345a5f78ad4e4353ac377c0ce330f34be8576c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0VHVU.tmp\5405413278158a16f6dc9e63bac3c4e70efe197063b3b1bd244e1cbcef9e665d.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6B5I.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/3828-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3828-72-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3828-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4100-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4100-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4100-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5028-90-0x00000000009C0000-0x0000000000A6D000-memory.dmp

Filesize
692KB

Download
memory/5028-100-0x00000000009C0000-0x0000000000A6D000-memory.dmp

Filesize
692KB

Download
memory/5028-119-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-71-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-116-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-75-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-112-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-77-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-80-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-83-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-86-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-89-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-91-0x00000000009C0000-0x0000000000A6D000-memory.dmp

Filesize
692KB

Download
memory/5028-109-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-96-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-99-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-68-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-103-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5028-106-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5048-61-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5048-76-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5048-60-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/5048-65-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing