5c690a0e0a6cf4d838cd821657b95e6df22bf53296dff71f4a3afdaf485713e8

Analysis

max time kernel
178s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bda59aef3da2139427ffa977b8fe986.exe
Size

432KB
MD5

4bda59aef3da2139427ffa977b8fe986
SHA1

533c9bfc11b69b0ec0b93ea4546562d78750636c
SHA256

5c690a0e0a6cf4d838cd821657b95e6df22bf53296dff71f4a3afdaf485713e8
SHA512

bb01f58fc7ccada0a60a01ed23895e20f6dd7dd27236c13bac63dc7ad9c487bf417e57e9940b0439257d8bafe25621c97ce8dc9183ee6ed4651c5474edd2eb9b
SSDEEP

6144:a1VkdIgi71nAv/szQRzf4Zj3JVyN/Y53fZ6ZsVb78:YVkdInSssRWjPy9Y53B6A78

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4bda59aef3da2139427ffa977b8fe986.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	teomi.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	teomi.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	4bda59aef3da2139427ffa977b8fe986.exe
3000	4bda59aef3da2139427ffa977b8fe986.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /m"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /y"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /d"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /l"	4bda59aef3da2139427ffa977b8fe986.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /g"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /e"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /n"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /t"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /f"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /a"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /s"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /w"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /o"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /x"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /j"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /v"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /r"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /h"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /q"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /k"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /z"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /u"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /b"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /i"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /c"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /p"	teomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\teomi = "C:\\Users\\Admin\\teomi.exe /l"	teomi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	4bda59aef3da2139427ffa977b8fe986.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe
2624	teomi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3000	4bda59aef3da2139427ffa977b8fe986.exe
2624	teomi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2624	3000	4bda59aef3da2139427ffa977b8fe986.exe	29
PID 3000 wrote to memory of 2624	3000	4bda59aef3da2139427ffa977b8fe986.exe	29
PID 3000 wrote to memory of 2624	3000	4bda59aef3da2139427ffa977b8fe986.exe	29
PID 3000 wrote to memory of 2624	3000	4bda59aef3da2139427ffa977b8fe986.exe	29

C:\Users\Admin\AppData\Local\Temp\4bda59aef3da2139427ffa977b8fe986.exe
"C:\Users\Admin\AppData\Local\Temp\4bda59aef3da2139427ffa977b8fe986.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\teomi.exe
  "C:\Users\Admin\teomi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\teomi.exe

Filesize
432KB

MD5
fb5c23f99a9b51232b42d4c8bb446d21

SHA1
8bef9643b555f7e565460357ae6ba19e4020396d

SHA256
0543a41b8198d0691da16d8aaf23a5c56287c1874a4c8480246f028c43aaf455

SHA512
b33d057e9c47ab3d8742ee4b161973bcbf08f0cb8ddc0d60366b5cff454214c061d30e02a521bbd09ba1e243fd343506b4b19442caf72aaaf5d07a1d80e975b2

Download Submit
\Users\Admin\teomi.exe

Filesize
64KB

MD5
0ff18c838bb96a12c7ac430c8eb57a30

SHA1
6fcbc249beae255fd5803ab967792d139890a1b1

SHA256
ce97156f436e3aebf0de940ee9886bc062b0f11658e49f1b8d6d9c88cd8e9baa

SHA512
235e403117138b3d8389a26dccc5b2e28f14c039cf63f7beadb891c0dd3097ea58554482b4566577a698084f5d069110cb054d1d5b18c1a237e8c304be715bcc

Download Submit