f00bd9ecd5b99fd3c6c1861b0b7c8c303b0554c1d9e933177469278e327c0bfa

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 12:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2038ff145f8037d670cb7261b4944bbb.exe
Size

10.2MB
MD5

2038ff145f8037d670cb7261b4944bbb
SHA1

8937568abec50e05ab1680ad26506dc16e17411f
SHA256

f00bd9ecd5b99fd3c6c1861b0b7c8c303b0554c1d9e933177469278e327c0bfa
SHA512

03dbcb123c1115967b8b4a5ccf610e49138ab6461e29753dbe09f8702612aef97ccabda3e707c4c5a7b10582c867dfcbeae2b27536d11715ca756e4daa981910
SSDEEP

1536:UYqBQNYzLcpFYLrgib2Djgt7q0qlfmQxPloqYCQd2Dt6LDdAoqYCQd2Dt6LDm4ZH:y8Ug4Lrfb0atlCIY6LDtCIY6LDbIufJ

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	TabIt.exe

Executes dropped EXE 1 IoCs

pid	Process
3920	TabIt.exe

Loads dropped DLL 2 IoCs

pid	Process
3920	TabIt.exe
3920	TabIt.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3584-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3920-5-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x000f000000023151-4.dat	upx
behavioral2/files/0x000f000000023151-3.dat	upx
behavioral2/memory/3584-22-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3920-30-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\w:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\s:	TabIt.exe
File opened (read-only)	\??\y:	TabIt.exe
File opened (read-only)	\??\n:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\s:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\v:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\p:	TabIt.exe
File opened (read-only)	\??\q:	TabIt.exe
File opened (read-only)	\??\k:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\q:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\y:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\n:	TabIt.exe
File opened (read-only)	\??\h:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\t:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\x:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\o:	TabIt.exe
File opened (read-only)	\??\x:	TabIt.exe
File opened (read-only)	\??\k:	TabIt.exe
File opened (read-only)	\??\e:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\o:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\u:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\g:	TabIt.exe
File opened (read-only)	\??\h:	TabIt.exe
File opened (read-only)	\??\g:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\r:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\e:	TabIt.exe
File opened (read-only)	\??\u:	TabIt.exe
File opened (read-only)	\??\w:	TabIt.exe
File opened (read-only)	\??\i:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\j:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\j:	TabIt.exe
File opened (read-only)	\??\m:	TabIt.exe
File opened (read-only)	\??\z:	TabIt.exe
File opened (read-only)	\??\r:	TabIt.exe
File opened (read-only)	\??\t:	TabIt.exe
File opened (read-only)	\??\v:	TabIt.exe
File opened (read-only)	\??\l:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\p:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\z:	2038ff145f8037d670cb7261b4944bbb.exe
File opened (read-only)	\??\i:	TabIt.exe
File opened (read-only)	\??\l:	TabIt.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\ocjtbd.dll	TabIt.exe
File opened for modification	C:\Program Files (x86)\Common Files\TabIt.exe	TabIt.exe
File opened for modification	C:\Program Files (x86)\Common Files	TabIt.exe
File created	C:\Program Files (x86)\Common Files\TabIt.exe	2038ff145f8037d670cb7261b4944bbb.exe
File opened for modification	C:\Program Files (x86)\Common Files\TabIt.exe	2038ff145f8037d670cb7261b4944bbb.exe
File created	C:\Program Files (x86)\Common Files\ocjtbd.dll	TabIt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3920	TabIt.exe
3920	TabIt.exe
3920	TabIt.exe
3920	TabIt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	TabIt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3920	TabIt.exe
3920	TabIt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3920	3584	2038ff145f8037d670cb7261b4944bbb.exe	76
PID 3584 wrote to memory of 3920	3584	2038ff145f8037d670cb7261b4944bbb.exe	76
PID 3584 wrote to memory of 3920	3584	2038ff145f8037d670cb7261b4944bbb.exe	76

C:\Users\Admin\AppData\Local\Temp\2038ff145f8037d670cb7261b4944bbb.exe
"C:\Users\Admin\AppData\Local\Temp\2038ff145f8037d670cb7261b4944bbb.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Program Files (x86)\Common Files\TabIt.exe
  "C:\Program Files (x86)\Common Files\TabIt.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\TabIt.exe

Filesize
92KB

MD5
79a4e88eacfde0498f620c0a442cbb12

SHA1
1c948d4a9b42bb31da2868ac41e2198942d779cc

SHA256
9de78fcd346a6db0757ab58cd5a1bd5bb936d15f72c76cec356782f91a5d0e0d

SHA512
f6ef85634d03d9291ee7c3e3e62fa6841782d5c3975c42b936c4f7ce437fe8c1de3449acdff0d314aa9df840348fa7f300c5156661a8708af7966c43ca11a8b6

Download Submit
C:\Program Files (x86)\Common Files\TabIt.exe

Filesize
46KB

MD5
9c3fa974118e08ec462cb43de6608f54

SHA1
044bd9ce7ec119cc10aa8d403a85c8ff0665b33b

SHA256
6a108de2461ac96636480dcdf07d7e7d36731d07ff3d855c3f578ce325260eaa

SHA512
892c2e266d916d6c865b8e465941a110f5eb1c46608395715bf55405385245fa00995038bfe2eeaa63435316a5f4f2cf3e95a9b05ba8450bedad8ec881f860c5

Download Submit
C:\Program Files (x86)\Common Files\ocjtbd.dll

Filesize
39KB

MD5
7476c22880708a5961db9c761e993a33

SHA1
e91ecdde8a619080cabc5bcceaa056ec4143e690

SHA256
f6e9f7e931e5c6b9f2f83aafe068ac7c7d21988a175b4bc8e6b3ae2ac4fce600

SHA512
5b5e607c1f0007620157ca3610ae4e0dac7cc93ec8c56f15438f8757b4138a3c0630a1730512c2b5c8784db4f125e08ff4cb4f38476c3421dd0b0427fe18c31a

Download Submit
C:\Program Files (x86)\Common Files\ocjtbd.dll

Filesize
57KB

MD5
3c46580c26f0d5864d1903d1eadee697

SHA1
f35a1552d760ed402a109d4445f413a69eb9d0d7

SHA256
4be0a60f9157b90c7416a758b16754397f0c4c56f435986b77a3678ef2cf43ff

SHA512
43657a10f6ce168fc5f193d9ec13928d8259f23174d7e4f2cad375881c280ca408dc1be3f548bb787b3c8c58a52bb1d9c7bb6960af436cc9857ee0189b216662

Download Submit
C:\Program Files (x86)\Common Files\ocjtbd.dll

Filesize
29KB

MD5
9c7ace74dad3883f7277ea4c7a3d1dbe

SHA1
76baece227ff95c349702f45e9c79f25c63eb000

SHA256
adf81bf2f777f7fece25fa1f3eedb723f1f587fa818477ef155a323d7e3c09a9

SHA512
be2cf2bcd235f66fed6040538b9d403722d04bd5ee1983ef7c10d28758188ba59b31bc2e530b37bc0ec6052055dbdc6a869f8fef9208a2ef6c44f805f6021a71

Download Submit
memory/3584-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3584-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3920-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3920-27-0x00000000004C0000-0x00000000004CB000-memory.dmp

Filesize
44KB

Download
memory/3920-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download