3306634291e1d50e273177fb1c65e3c9d9b76c6d5da33a497c9f93a352e88659

Analysis

max time kernel
212s
max time network
238s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

165378b5cfcb952711b917ffdb1ac7a4.exe
Size

260KB
MD5

165378b5cfcb952711b917ffdb1ac7a4
SHA1

2e5a0a653141fd44e452e826ce77797cf79ca283
SHA256

3306634291e1d50e273177fb1c65e3c9d9b76c6d5da33a497c9f93a352e88659
SHA512

62ad37e6241dc1ce33936a3536278329d0a0c27985bd2387331f7501a24711077be4e8cc6a45636538879ae8591ac62a9626ff03158a2ae06f1ade93aa3e4365
SSDEEP

6144:sgRlSUhL25VGQllHiU6ZdCFqhVeVHEv++X:sgRgUhL2lHiU6ZdFPeilX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	165378b5cfcb952711b917ffdb1ac7a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tiioli.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	tiioli.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	165378b5cfcb952711b917ffdb1ac7a4.exe
2664	165378b5cfcb952711b917ffdb1ac7a4.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /F"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /G"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /A"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /Q"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /S"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /h"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /M"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /V"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /a"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /E"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /Y"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /c"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /I"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /u"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /d"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /J"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /H"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /v"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /o"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /T"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /p"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /w"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /B"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /g"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /S"	165378b5cfcb952711b917ffdb1ac7a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /O"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /b"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /x"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /k"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /C"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /l"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /N"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /L"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /U"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /e"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /r"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /s"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /j"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /W"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /q"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /Z"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /y"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /X"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /t"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /i"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /n"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /R"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /m"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /D"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /P"	tiioli.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiioli = "C:\\Users\\Admin\\tiioli.exe /f"	tiioli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	165378b5cfcb952711b917ffdb1ac7a4.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe
2644	tiioli.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	165378b5cfcb952711b917ffdb1ac7a4.exe
2644	tiioli.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2644	2664	165378b5cfcb952711b917ffdb1ac7a4.exe	29
PID 2664 wrote to memory of 2644	2664	165378b5cfcb952711b917ffdb1ac7a4.exe	29
PID 2664 wrote to memory of 2644	2664	165378b5cfcb952711b917ffdb1ac7a4.exe	29
PID 2664 wrote to memory of 2644	2664	165378b5cfcb952711b917ffdb1ac7a4.exe	29

C:\Users\Admin\AppData\Local\Temp\165378b5cfcb952711b917ffdb1ac7a4.exe
"C:\Users\Admin\AppData\Local\Temp\165378b5cfcb952711b917ffdb1ac7a4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\tiioli.exe
  "C:\Users\Admin\tiioli.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tiioli.exe

Filesize
125KB

MD5
e6535a4c72a001175d5ae005f3fc5801

SHA1
bf0a77c11d11dd380112f9282d4c70238933eac9

SHA256
e9d182e0e25fdba84bf52121baa09bc2c07a24ac884fa7cc6b59c1ff3c3d1f09

SHA512
ae76d28ed1f86ea2fdee561e0be22ad2f5e3296f88e8b85487603807aa9fa6bb2e077ebf4d53999961297de8ea130b5dbac93f2ceac14555bfa19a37bb7948de

Download Submit
C:\Users\Admin\tiioli.exe

Filesize
256KB

MD5
eb47f97fb363299bcaeea173ee1d7b41

SHA1
0a574b27df37e35c7e889c0cb6a576226f76584d

SHA256
880be8930524527fa948511eaff73aa20668b730361571f6c0358e62b414ac0e

SHA512
df3f883acdbc753b206010eac2b8ab3b9dc017acbcbdb6207418e74c5d9c4c7ae174611611ed7c06ca2085defa3186ea3ca2d650a72b376de0deba3a3c218020

Download Submit
\Users\Admin\tiioli.exe

Filesize
260KB

MD5
d497a7e60c8fc42c7d2ac6d50dec2607

SHA1
12ffbbafb8f6cd459f22ab044697c256366a21b9

SHA256
d93f5c6113404e3564d2a18276295731c30b74b99365db67ad3c5a427ca3053e

SHA512
168dc44b52f493411bf1872aae77facad7fd417100c8b082189836c389c8ba10e31b88fcc84ec36720c527b206eab449f9bbd080d12b98b35cdea884e5b7113b

Download Submit
\Users\Admin\tiioli.exe

Filesize
83KB

MD5
f4f9b7d746de047b4745607755066c1c

SHA1
661e3ae51153fb919011ee7521b5f2e06d93cf2e

SHA256
076cbefc0c9ef3132427bf7762407bbde30384b14ec54f05adf83ad01d44f649

SHA512
60d201c404e571833fb94b7b7e7878d53ccba839bf471c812ff743f7d00ddf814c411c9963ba6ab817d9d707aed0bbb9b46cd5a3cef83df4c618b777d27bf3a7

Download Submit