ddb26bc461afcf39ef0ffebb23e33ff4313382610989c5f744a7b810513ba940

Analysis

max time kernel
176s
max time network
178s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61fd3b65043c02d19fe62f17bdfcc697.exe
Size

116KB
MD5

61fd3b65043c02d19fe62f17bdfcc697
SHA1

d1c35c62b0d23c9132055224f2a98cfc89ee4948
SHA256

ddb26bc461afcf39ef0ffebb23e33ff4313382610989c5f744a7b810513ba940
SHA512

1f1a24ae81dce8d9b083691164b663fa0115c8c6379169ffa8e4dfa0d89333d5454225451ad0dd265c1b486258518fb966e8ed76da4145840b6fcfcc6c2a3c82
SSDEEP

3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5H/U:SZRcx5VMpOKXur2Qf+5H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	Tvitua.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Tvitua.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	61fd3b65043c02d19fe62f17bdfcc697.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	61fd3b65043c02d19fe62f17bdfcc697.exe
File created	C:\Windows\Tvitua.exe	61fd3b65043c02d19fe62f17bdfcc697.exe
File opened for modification	C:\Windows\Tvitua.exe	61fd3b65043c02d19fe62f17bdfcc697.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Tvitua.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	Tvitua.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\International	Tvitua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe
2708	Tvitua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2708	2224	61fd3b65043c02d19fe62f17bdfcc697.exe	29
PID 2224 wrote to memory of 2708	2224	61fd3b65043c02d19fe62f17bdfcc697.exe	29
PID 2224 wrote to memory of 2708	2224	61fd3b65043c02d19fe62f17bdfcc697.exe	29
PID 2224 wrote to memory of 2708	2224	61fd3b65043c02d19fe62f17bdfcc697.exe	29

C:\Users\Admin\AppData\Local\Temp\61fd3b65043c02d19fe62f17bdfcc697.exe
"C:\Users\Admin\AppData\Local\Temp\61fd3b65043c02d19fe62f17bdfcc697.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\Tvitua.exe
  C:\Windows\Tvitua.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
8041bda2acf67d954c36808f02ae25d0

SHA1
df5656881738f1fc0d8745d49799077f61b72570

SHA256
32d27df7d4b1c131629785e40223ce8379c297815693de93f05c54654ea85432

SHA512
aaed0e5db2bcce0ae5f0448643dbc338d2b6e7c074adbb46d9ad645e67b15c520d8abbc04ef8868cac03c4363949148aaeb3d9c64a92e08d80c39dadcc4d51f5

Download Submit
C:\Windows\Tvitua.exe

Filesize
116KB

MD5
61fd3b65043c02d19fe62f17bdfcc697

SHA1
d1c35c62b0d23c9132055224f2a98cfc89ee4948

SHA256
ddb26bc461afcf39ef0ffebb23e33ff4313382610989c5f744a7b810513ba940

SHA512
1f1a24ae81dce8d9b083691164b663fa0115c8c6379169ffa8e4dfa0d89333d5454225451ad0dd265c1b486258518fb966e8ed76da4145840b6fcfcc6c2a3c82

Download Submit
memory/2224-18693-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-1-0x00000000002B0000-0x00000000002D3000-memory.dmp

Filesize
140KB

Download
memory/2224-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-16555-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-28652-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-38665-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-44292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-46153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download