58b055efd58d032d96c3cf06627f0f9bc82ac7e2c32eec6e52256373e502e884

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1a3f997b9b89dc62968a69a8888fe6.exe
Size

296KB
MD5

0b1a3f997b9b89dc62968a69a8888fe6
SHA1

ddb4c93e847d56feb12ff9b83c53222f0cd0b58b
SHA256

58b055efd58d032d96c3cf06627f0f9bc82ac7e2c32eec6e52256373e502e884
SHA512

6a2d4f004fb01a84fcfd01da7240df812e3fa01b8f932290167b16bf17ca1279ada5b8a7d0d3af7d260c8aa530da5229c5595c41c633a79c4016232bc8ea3fe5
SSDEEP

6144:kkxD1y0FXrKnvmb7/D26OJYPsMiqDJlJNwHG6s20EBb4jHX3QA/hwNGhWhThPvMc:keD1y0F7Knvmb7/D265DJlJNwHG6JTbv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0b1a3f997b9b89dc62968a69a8888fe6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tfmaz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0b1a3f997b9b89dc62968a69a8888fe6.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	tfmaz.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /o"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /t"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /w"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /l"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /g"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /I"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /i"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /D"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /J"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /R"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /L"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /x"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /B"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /h"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /y"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /j"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /k"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /r"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /F"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /M"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /f"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /d"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /K"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /n"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /S"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /U"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /e"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /z"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /T"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /N"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /c"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /H"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /u"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /W"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /v"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /O"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /X"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /m"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /q"	0b1a3f997b9b89dc62968a69a8888fe6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /V"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /G"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /Z"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /Y"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /s"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /Q"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /a"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /A"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /q"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /P"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /p"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /C"	tfmaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfmaz = "C:\\Users\\Admin\\tfmaz.exe /b"	tfmaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	0b1a3f997b9b89dc62968a69a8888fe6.exe
4548	0b1a3f997b9b89dc62968a69a8888fe6.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe
1980	tfmaz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4548	0b1a3f997b9b89dc62968a69a8888fe6.exe
1980	tfmaz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1980	4548	0b1a3f997b9b89dc62968a69a8888fe6.exe	91
PID 4548 wrote to memory of 1980	4548	0b1a3f997b9b89dc62968a69a8888fe6.exe	91
PID 4548 wrote to memory of 1980	4548	0b1a3f997b9b89dc62968a69a8888fe6.exe	91

C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe
"C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\tfmaz.exe
  "C:\Users\Admin\tfmaz.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tfmaz.exe

Filesize
90KB

MD5
f75f5db50546bb910ba2912f53e61f8c

SHA1
f5470c925e41fa8ce44259e4d1a782e09e467d2a

SHA256
2b3b7f0c31ffb3489f0111c446bd5a4354606b7dcfca2e6d980121dcebb191ce

SHA512
bc7ba0d2606a75079fa80edb01d585b1936c90a4f6b625b0636919fc35ae67bc1ef200203aa94c58f1777f01a2eba89a030caa3f681b9840b8b2f362f4421a9e

Download Submit
C:\Users\Admin\tfmaz.exe

Filesize
110KB

MD5
026ada462a213374831b0039f572206c

SHA1
b4da682c255ecc2d78deb17c21a4a4c9e9932583

SHA256
b6aae5dac7b7e09bf2d16334962993890de5201aae221d8b6cca9699632d86db

SHA512
8a8e2e9ac03c5faea72493964a0760ca99b3fac4a7bb055f32e58ee41d4b72a97e816d422fcb75c305f0b73114a7e52bbf8a343e509b081c2ed2bc5b3eec35c0

Download Submit
C:\Users\Admin\tfmaz.exe

Filesize
88KB

MD5
8137ebd80516eab82eaa022e72792935

SHA1
17407e98c71cfc647a13cfde2d987049f0cd8d5d

SHA256
06acdbb31de6eda6856054c65af2e19189c72b9f829e84d6f1d04e4cc16e8678

SHA512
0223ba1c4dfe88b401c033dbfdc3cc6bfc075e790d2a6da009587f49c1a4d4804a9c0701088b7aa69dee62070dfbe2fce60019663734bc83f99926002469dd4a

Download Submit